HOWARD  GARDNER  ON  HOW  TO  CHANGE  PEOPLE’S  MINDS 


Page  74 


-  -  ■' 


THE  RESOURCE  FOR  INFORMATION  EXECU 


FILES  FOR 

EXTENSION 


M  i  'j 


*<,  ■ 

:£i‘-  ■ 


The  project  that  IRS  CIO 
W.  Todd  Grams  is  trying  to 
fix  is  nearly  three  years 
late  and  $36.8  million 
over  budget. 


Lessons  from  the  agency  s 
infamous  modernization  project 


BY  ELANA  VARON 

i  Page  50 


T  THE  CIO 

WEB  DIET 

_  Howto  Reduce 
f  Online  Transaction 
Costs  for  a  More 
Profitable  You 

Page  58 

JOB  SECURITY 

Tips  for  CIOs  in 
Organizations  That  Burn 
Through  IT  Leaders 


■ 


How  to  light  up  a  supply  chain. 

Advance  Transformer,  a  leading  component  manufacturer  for 
lighting  systems,  had  legacy  IT  systems  that  no  longer  kept  up 
with  production  demands.  They  turned  to  HP  to  help  them  better 
manage  their  supply  chain.  Now,  with  a  unified  management 
of  the  whole  infrastructure,  their  systems  automatically  solve 
problems  as  they  occur.  All  this  has  reduced  production  time  from 
28  to  5  days,  cut  inventory  levels  by  50%  and  revealed  the  bright 
side  of  change,  www.hp.com/adapt 

Solutions  for  the  adaptive  enterprise. 


I 


Solutions  for  the  adaptive  enterprise. 


invent 


©2004  Hewlett-Packard  Development  Company,  L.R 


Your  potential.  Our  passion^ 


■ 


$  p  p 


■ 


®  TOYOTA 


findows  Server  System,  and  "Your  potential.  Our  passion."  are  either  registerec 
ucts  mentioned  herein  may  be  the  trademarks  of  their  respective  owners 


name 

Ms.  25%  Lower  TCO  on 
Dealer  Infrastructure 
Management 


ft** 


"Ten  percent  of  my  IT  group  used  to  be  dedicated 
just  to  monitoring  our  systems.  Now  they're 
dedicated  to  providing  new  services  to  dealers." 

Mylene  Mayers 

Technology  Manager,  Toyota  Motor  Sales  USA 


Make  a  name  for  yourself  with  Windows  Server  System. 

Microsoft  Windows  Server  System  makes  Toyota 
Motor  Sales  USA's  infrastructure  easier  to  manage. 
Here's  how:  using  Microsoft  Operations  Manager 
and  Windows  Server,  Toyota  has  reduced  the 
number  of  IT  staff  required  to  manage  its  dealer 
servers  from  seven  to  one,  allowing  the  other  six 
staff  members  to  be  redeployed  to  more  strategic 
work.  It's  software  that  helps  you  do  more  with 
less.  Get  the  full  Toyota  story  and  a  hands-on 
management  tool  at  microsoft.com/wssystem 


Windows 
Server  System 


Windows  Server  System™  includes  these  products: 


Server  OS 

Windows  Server™ 

Operations  Infrastructure 

Systems  Management  Server 

Application  Center 

Operations  Manager 

Internet  Security  &  Acceleration  Server 

Windows*  Storage  Server 

Application  Infrastructure 

SQL  Server™ 

BizTalk®  Server 

Commerce  Server 

Content  Management  Server 

Host  Integration  Server 

Information  Work  Infrastructure 

Exchange  Server 

Office  SharePoint™  Portal  Server 

Office  Live  Communications  Server 

VOL.  17  •  NO.  12  •  APRIL  1,  2004 


Cover  Story 

PROJECT  MANAGEMENT  I  50 

For  the  IRS 
There’s  No 
EZ  Fix 

By  assembling  a  star-studded  team  of  vendors,  the 
IRS  thought  its  $8  billion  modernization  project 
would  manage  itself.  The  IRS  thought  wrong.  Now 
the  agency’s  ability  to  collect  revenue,  conduct 
audits  and  go  after  tax  evaders  has  been  severely 
compromised.  By  Elana  Varon 

COVER  PHOTO  BY  RON  HOLTZ 


G  5 

a  s  a 


D  G 

\  G  C 

G  G 

0 

a  g 

G 


The  IRS’s  newest  CIO,  W.  Todd  Grams,  is  working  to  correct  the 
agency’s  previous  modernization-project  mistakes,  but  it  won’t  be 
easy.  And  everyone’s  patience  has  about  run  out. 


Features 


E-COMMERCE 

The  CIO  Web  Transaction  Diet  I  58 

You  gained  a  lot  of  customers  during  the  Internet  boom. 

Now  every  time  they  use  your  site,  especially  when  they 
don’t  buy  anything,  they’re  inflating  your  operating  expenses. 
Here’s  how  to  shed  those  unwanted  costs  and  reveal  a  slimmer, 
more  profitable  you.  By  Christopher  Lindquist 


Jean  Davis,  head  of  IT  for 
Wachovia,  embodies  the  new 
customer-centric  approach  to 
megamergers.  “We  knew  that 
if  we  didn’t  adequately  test,” 
she  says,  "our  customers 
would  test  for  us.” 


CUSTOMER  RELATIONSHIP  MANAGEMENT 
Banks  Fight  Customer  Flight  I  68 

Following  mergers,  banks  used  to  sacrifice  customer  service 
in  favor  of  speedy  integration  and  cost-cutting.  But  no  more. 
Here’s  how  CIOs  are  helping  banks  implement  a  new  postmerger 
mandate  to  focus  on  customer  service.  By  Alice  Dragoon 

Q&A  I  HOWARD  GARDNER 
Getting  from  Oranges  to  Apples  I  74 

Howard  Gardner  says  it  is  possible  to  get  others  to  see  things 
differently.  But  as  the  Harvard  professor  tells  CIO  Senior  Editor 
Edward  Prewitt,  it  takes  perseverance  and  finesse. 

THE  CIO  ROLE 

How  to  Become  a  Fixture  I  78 

At  companies  notorious  for  burning  through  CIOs,  your 
credibility  and  effectiveness  are  in  question  the  moment  you 
walk  through  the  door.  By  Ben  Worthen 

MORE  ►►► 


4 


CIO  APRIL  1,  2004  •  www.cio.com 


The  right  software  can  help  today's  CIO 
become  tomorrow's  corporate  leader. 

It's  amazing  what  the  right  software  can  do  in  the  right  hands.  Just  ask  the 
CIOs  taking  advantage  of  our  management  software  for  utility  computing. 
They've  transformed  previously  complex  disparate  infrastructures  into 
integrated  springboards  for  business  success.  And  they've  capitalized  on 
tomorrow's  trends  while  heading  off  today's  problems,  all  while  maximizing 
their  existing  resources.  To  learn  how  management  software  can  benefit 
your  business,  not  to  mention  your  career,  go  to  ca.com/management3. 


Computer  Associates® 


©  2003  Computer  Associates  International,  Inc.  (CA).  All  rights  reserved. 


Columns 

PEER  TO  PEER 

What  I  Learned  in  School  I  38 

The  CIO  for  a  large  school  district 
found  that  listening  to  her  peers  on 
the  educational  side  helped  her  rebuild 
IT’s  credibility.  By  Marcia  Bohannon 

FROM  THE  PUBLISHER 
Time  for  a  National 
Technology  Policy  I  84 

The  Web  and  globalization  have  leveled 
the  playing  field  for  countries  to  compete. 
Some  people  worry  how  the  United  States 
can  maintain  its  technology  leadership. 

By  Gary  Beach 

Sections 

TRENDLINES  I  22 

Redundant  British  health  project;  Phishing 
for  e-mail;  Tale  of  the  9-track  tape. 

And  more 

OFF  THE  SHELF  I  26 

The  1 8  Immutable  Laws  of  Corporate 

Reputation ;  CIO  Best-Sellers 

ON  THE  MOVE  I  32 

Mergers  put  four  key  career  questions 
to  CIOs. 

ALSO:  CIOs  on  the  go — see  where 
your  IT  peers  are  working  now. 


NEW  in  C/0 

REAL  VALUE  I  44 

By  Howard  Rubin 

Where’s  the  Beef? 

Introducing  our  new  Real  Value 
columnist,  Howard  Rubin:  He  says 
that  the  first  step  to  determining  and 
measuring  value  is  to  create  categories  for 
your  company’s  business  goals  and  then 
prioritize  your  IT  initiatives  within  them. 


HOTSEAT  I  87 
It’s  Politics,  As  Usual 

Don’t  wrinkle  your  nose  and  don’t  turn 
the  page.  Politics  is  part  of  organizational 
life.  Here’s  what  you  need  to  know. 

By  Lafe  Low 

MANAGEMENT  REPORTS  189 

When  Parts  Don’t  Make  a  Whole: 

Using  a  systems  model  for  organizational 
alignment. 

LEADERSHIP  AGENDA  I  90 

Managing  IT  Demand  101:  Some 
IT  professionals  still  haven’t  learned 
to  work  with  the  business  to  manage 
demand  for  IT  services. 

By  Susan  H.  Cramm 


In  Every  Issue 

INBOX  !  14 

Reader  feedback 

INDEX  I  94 

EXECUTIVE  SUMMARY  I  96 

Abstracts  of  all  the  feature  stories  found 
in  this  issue. 


“Users  either  didn’t  know  what  they  wanted  or  couldn’t 
understand  what  they  were  being  asked  about.  Clearly, 
we  had  a  glitch  in  communication.” 

-Marcia  Bohannon,  Peer  to  Peer  columnist  Page  38 


CIO  APRIL  1,  2004  •  www.cio.com 


6 


Your  company 
turns  to  you  for 
infrastructure 
security. 

So(  where  can  you  turn? 

Security  is  a  primary  concern  for  all  of  us.  That's  why  we've  developed  an  array  of  new  tools  and  guidance,  centralized 
at  microsoft.com/security/IT.  It's  a  resource  you  can  turn  to  for  timely  news,  education,  and  tools,  all  intended  to  help 
you  better  plan  and  manage  the  security  strategy  that's  right  for  your  company. 


Take  advantage  of  the  latest  tools  and  training  at  microsoft.com/securitv/IT. 


Free  Security  Training 

Register  for  free  security  management  training, 
including  a  Security  Summit  in  a  city  near  you,  weekly 
security  Webcasts,  and  in-depth  e-learning  designed 
to  help  you  improve  your  security  infrastructure. 

Free  Tools  and  Updates 

Streamline  patch  management  with  free  tools 
such  as  Microsoft®  Software  Update  Services. 
Download  software  like  Microsoft  Baseline  Security 
Analyzer  to  verify  that  your  systems  are  configured 
to  maximize  security. 


Free  Emergency  Notifications 

Sign  up  to  stay  up-to-date  with  the  latest 
vulnerability  assessments,  mitigation  advice,  and 
patch  availability. 

Free  Security  Guidance  Kit 

Evaluate  detailed  guidance  and  templates, 
then  pre-order  your  free  CD-ROM  with  roadmaps 
and  how-to  guides.  Learn  how  measures  like 
automating  security  patch  installation  and 
blocking  unsafe  e-mail  attachments  can  help 
better  protect  your  organization. 


Go  to  microsoft.com/security/IT 


For  ongoing  guidance  to  help  better  plan  and  manage  your 
company's  IT  security,  go  to  microsoft.com/security/IT  today. 

Microsoft * 


©  2004  Microsoft  Corporation.  All  rights  reserved.  Microsoft  is  a  registered  trademark  of  Microsoft  Corporation  in  the  United  States  and/or 
other  countries.  The  names  of  actual  companies  and  products  mentioned  herein  may  be  the  trademarks  of  their  respective  owners. 


Canon  and  Canon  Know  How  are  registered  trademarks  of  Canon  Inc.  IMAGERUNNER  is  a  registered  trademark  of  Canon  Inc.  in  the  U.S.  and  Canada.  IMAGEANYWAREisa 


NOT  BUSINESS  AS  USUAL 


PRESENTING  THE  SUITE  OF  imageRUNNER®  NETWORK  PRINTING  SOLUTIONS. 


We  know  you’re  always  looking  for  new  ways  to  solve  your 


network  printing  problems.  Then  there’s  the  constant  pressure  to  reduce  costs  and  increase  productivity.  Well,  you’ll 


find  that  our  imageRUNNER  network  printing  solutions  are  the  answer.  They’re  easily  integrated  into  your  company’s  work 


www.usa.canon.com  1-800-0K-CANQN 


process,  they’re  fully  connected  and  they  can  be  tailored  to  meet  your  specific  workflow 
needs.  Overall,  Canon  imageRUNNER  solutions  deliver  a  level  of  reliability,  productivity  and  value 
that  you  didn’t  think  was  possible.  See?  You  don’t  have  to  settle  for  business  as  usual. 


KNOW  HOW 


READ  MORE 

More  to  Mine 
on  the  Mind 

Howard  Gardner,  a  Harvard  psychologist, 
has  a  thing  or  two  to  say  about  changing 
minds  (yours  and  others’)  in  his  new  book, 
Changing  Minds.  In  our  interview  with  him 
(see  Getting  from  Oranges  to  Apples,  Page 
74),  he  outlines  the  seven  levers  needed  to 
redirect  thinking.  If  you  still  need  convinc¬ 
ing,  read  an  excerpt  from  his  book.  The 
chapter  excerpt,  titled  “Changing  Direc¬ 
tions  at  BP,”  can  be  found  on  CIO's  sister 
website  www.darwinmag.com  and  at 
www.cio.com/printlinks. 


LEARN  MORE 

Why  Wachovia 
Gets  It  Right 

Mismanaged  bank  mergers 
can  earn  such  unprofitable 
results  as  losing  one  in  five 


customers  (See  Banks 
Fight  Customer  Flight,  Page 
68).  So  what  did  Wachovia 
do  to  earn  itself  a  steady 
customer  base  when  it 
merged  with  First  Union? 
Hint:  Stay  in  touch  with  your 


customers  and  share 
information  with  your  staff. 
Find  the  full  story  in  the 
Web  box  “Why  Wachovia 
Gets  It  Right”  in  the  online 
version  of  this  story,  or  go  to 
www.cio.com/printlinks. 


KEEP  UP  with  CIO’s  newest  features 
and  online  offerings  by  subscribing 
to  one  of  our  free  newsletters. 

>  CIO  Insider  brings  twice-weekly 
updates  on  what's  new  on  the  site. 

>  CIO  Wanted  is  a  must  for  those 
seeking  new  job  opportunities. 

>  If  being  an  executive  sometimes 
taxes  your  energies,  read  the 
Leadership  &  Management  Review 

for  links  to  articles  that  will  help  you 
be  the  manager  you  want  to  be. 

To  see  samples  and  to  subscribe 
to  these  and  any  other  of  our  two 
dozen  free  newsletters,  go  to 
www.cio.com/newsletters. 


Our  Daily  Web 

MONDAY  Tech  Tact 

Technology  Editor  Christopher 
Lindquist  covers  what’s  coming. 

TUESDAY  Quick  Poll 

Vote  with  your  mouse,  and  see 
how  other  IT  leaders  feel  about 
current  events. 

WEDNESDAY  Metrics 

Web  Writer  Jon  Surmacz  makes 
sense  of  the  numbers. 

THURSDAY  Sound  Off 

Web  Editorial  Director  Art  Jahnke 
opines  on  managerial,  political 
and  ethical  dilemmas. 


get  interactive 


FRIDAY  The  Big  Picture 

Charts  and  graphs  that  are  worth 
a  thousand  words. 


SISTER  PUBLICATION  CSO  magazine  and  the  Software  Engineering  Institute's  CERT 
Coordination  Center  have  teamed  up  to  create  a  Security  Capability  Assessment 
Tool.  This  interactive  exercise  can  help  you  enhance  security  strategy  and  policies. 


EVERY  WEEKDAY  The  News 

We  synthesize  the  top  IT  news 
stories  of  the  day. 


It  assesses  current  security  practices  and  determines  which  ones  are  repeatable, 
documented,  and  regularly  reviewed  and  updated.  You  see  the  results  of  your  input 
immediately.  The  overall  findings  will  be  available  at  www.csoonline.com  later  this 
year.  To  find  out  where  your  security  stands,  go  to  www.cio.com/security  and  look 
for  the  headline:  CSO  Magazine  and  CERT  Security  Capability  Assessment  Tool. 


10  CIO  APRIL  1,  2004 


www.cio.com 


PHOTO  LEFT  BY  CHRISTOPHER  HARTING 


the  Oracle  Grid 

turns  64  small  servers 
into  a  giant  mainframe 


It's  fast... 
it's  cheap... 
and  it  never  breaks 


oracle.com/grid 
or  call  1.800.633.0753 


Note:  'Never  breaks'  indicates  that  when  a  server  goes  down,  your  system  keeps  on  running. 


Copyright  ©  2003,  Oracle  Corporation.  All  rights  reserved.  Oracle  is  a  registered  trademark  of  Oracle  Corporation  and/or  its  affiliates. 


reach 

AVAVA 

a  higher  plane 
of  communication 


WHICHEVER  PATH  YOU  CHOOSE- 

Client-Server  or  IP-enabled  Telephony- 
you’ll  make  the  most  of  your  existing 
equipment  and  applications  with  Avaya. 
Keep  up  to  85%*  (or  more!)  with  our 
open  standards-based  solutions  and 

multi-vendor,  multi-technology  expertise. 
The  world  leader  in  IP  Telephony  offers 
you  the  flexibility  to  support  a  diverse 
set  of  endpoints-IP,  digital,  analog  and 
mobile.  As  well  as  voice  encryption  for 
maximum  security  anywhere  on  your 

network.  We’ve  even  got  flexible 
solutions  for  greenfield  installations. 

All  supported  by  Avaya  Global  Services. 

So  start  moving  to  IP  without  the  heavy 
lifting  at  avaya.com/iptelephony.  Or  call 
866-GO  AVAYA  today. 

IP  Telephony 

Contact  Centers 

Unified  Communication 

Services 

Migrate  to  IP  Telephony . 

KEEP  85% 

0$  your  current  investment 

NIX  THE  FORKLIFT. 


‘Based  on  historical  results.  Individual  results  may  vary  depending  upon  your  specific  network  environment- 
2004,  Avaya  Inc.  All  Rights  Reserved  Avaya.  the  Avaya  Logo,  and  all  trademarks  identified  by  ®  or  ™  are  trademarks  of  Avaya  Inc. 
and  may  be  registered  in  certain  jurisdictions.  All  other  trademarks  are  the  property  of  their  respective  owners 


InBox 

Reader  Feedback 


PRO  PATCH  MANAGEMENT 

“FrankenPatch”  (Nov.  1, 2003)  did  an  excellent  job  of  covering  the  pros  and 
cons  of  active  patch  management. 

Based  on  my  experience,  I  come  down  on  the  side  of  active  patch 
management.  My  company,  Getronics,  has  clients  that  employ  remote 
system  management  and  others  that  opt  not  to  have  the  service. 

During  last  summer’s  virus  attacks,  daily  calls  to  our  help  desk  from 
unprotected  clients  increased  by  100  percent,  200  percent  and,  in  one  case, 
by  more  than  500  percent.  Our  clients  that  outsource  their  systems  management  to 
evaluate,  test  and  apply  the  security  updates  experienced  no  increase  in  help  desk  calls, 
and  one  client  actually  saw  a  decrease. 

There  is  no  doubt  that  companies  that  were  not  prepared  with  up-to-date  firewalls,  virus 
software,  and  properly  tested  and  applied  software  patches  suffered  lost  productivity  and 
invested  more  resources  in  reacting  to  the  crisis. 


NO  LOYALTY  HERE 


Barbara  Dobson  •  Director,  Infrastructure  Solutions  Center  •  Getronics  IT  Sourcing  Services 

Houston  Enterprise  Service  Center  •  barbara.dobson@getronics.com 


ERP  TOUCH-UP 

I’d  like  to  comment  on  your  Nov.  15, 
2003,  story  “Extreme  ERP  Makeover.” 

The  database  offerings  from  most 
ERP  vendors  may  be  just  as  hamstrung 
by  legacy  constraints  as  are  many  of  the 
disparate  systems  they  hope  to  replace. 
An  organization  considering  a  single¬ 
instance  ERP  solution  should  have 
already  completed  most  of  an  enterprise- 
level  data  model,  so  that  their  basic  data 
needs  are  known. 

If  the  single-instance  ERP  solution’s 
database  has  at  least  a  90  percent  fit  with 
the  enterprise  data  model,  then  the  ERP 
vendor  and  the  client  organization  are 
thinking  the  same  way.  If  not,  then  no 
amount  of  customization  will  be  enough. 
You  may  also  want  to  evaluate  the 
prospective  vendor’s  data  model  on  the 
basis  of  how  “future-proof”  it  is.  Mod¬ 
ern  data  models  can  be  designed  to  make 
future  expansion  relatively  painless. 

After  you  have  assessed  the  data  fit, 
you  can  then  evaluate  the  applications 
on  the  basis  of  how  many  hoops  your 


business  processes  will  need  to  jump 
through  before  your  organization  and 
the  ERP  solution  are  getting  along. 
Modifications  can  require  more  effort 
than  a  custom-built  application  devel¬ 
oped  in-house. 

The  Web  services  model  of  tossing 
data  from  application  to  application 
may  have  some  potential,  but  I  can  also 
imagine  a  “silk  purse  out  of  a  sow’s  ear” 
situation.  At  the  very  least,  if  you  decide 
to  go  with  a  Web  services  solution,  you 
may  still  need  a  consolidated,  single¬ 
instance  database  somewhere.  In  this 
way,  the  single-instance  database  can  act 
as  a  hub  between  the  disparate  best-of- 
breed  applications,  resolving  differences 
between  enterprise-level  data  (different 
customers  or  product  numbers  on  dif¬ 
ferent  systems,  and  other  such  data 
transformations)  and  acting  as  a  source 
for  enterprise-level  consolidated  reports 
and  CRM  requirements. 

Randy  Piscione 

Data  Architect,  I.  Mendez  &  Associates 
piscione@sympatico.  ca 


I  read  with  interest  your  article  “Don’t 
Wait  to  Groom  a  Successor”  (Trendlines, 
Dec.  1,  2003). 

One  of  my  colleagues  did  just  that — 
when  our  company  was  in  a  downward 
spiral,  he  not  only  held  on,  he  convinced 
others  in  his  department  to  stay,  and  he 
groomed  one  person  to  be  his  successor. 
Had  he  not  done  so,  it  would  have  been 
a  death  spiral  for  the  company. 

To  turn  the  company  around,  a  new 
CEO  was  hired  to  replace  our  COO  (who 
now  has  a  different  position  in  our  com¬ 
pany),  and  management  was  looking  for 
cutbacks  so  that  the  CEO’s  salary  could 
be  paid.  Guess  who  got  the  ax? 

Talk  about  rewarding  loyalty  and  bet¬ 
ter  judgment.  My  ex-colleague  is  now 
working  at  a  much  lower-level  job  (not 
just  pay- wise,  but  in  terms  of  responsi¬ 
bility  as  well)  in  a  totally  different  career. 

He  might  as  well  be  flipping  burgers. 

Anonymous 

THOUGHTS  ON  SHAPING 
THE  FUTURE 

I  believe  one  man  or  woman  can  make  a 
world  of  difference  (“Is  Your  Future 
Written?”  Dec.  15,  2003/Jan.  1,  2004). 


14  CIO  APRIL  1,  2004  •  www.cio.com 


YOU’D  JUMP  ATTHE  CHANCI 
TO  MANAGE  ALL  REPORTING 
WITH  A  SINGLE  PRODUCT. 
SO  WHY  ARE  YOU 
STILL  SITTING  THERE? 


COGNOS  REPORTNET. 
THE  NEW  STANDARD. 


See  enterprise  reporting  for  what  it  really  is. 

A  strategic  advantage. 

Introducing  Cognos  ReportNet.™ 

The  only  solution  comprehensive  enough 
to  standardize  all  your  enterprise  reporting. 

From  customized  queries  to  production.  On  a  single  product. 

Built  on  a  zero-footprint,  open  architecture  created  specifically  for  the  Web. 
Designed  to  meet  the  needs  of  a  global  enterprise. 

It’s  a  key  part  of  a  comprehensive  Business  Intelligence  solution. 


Take  the  first  step  toward  managing  performance. 
Read  about  Breakthrough  Reporting  at: 


Copyright  ©  2003  Cognos  Incorporated.  All  rights  reserved. 


InBox 


We  have  a  proud  history  of  innovation  in 
the  IT  industry,  often  attributed  to  an 
individual  or  small  group  of  individuals. 

Numerous  open-source  projects  come 
to  mind  as  examples  of  the  difference 
one  person  can  make.  Take  the  Apache 
Web  server  as  an  example:  It  is  currently 
hovering  somewhere  near  66  percent 
market  share.  Linus  Torvalds  and  Linux 
come  to  mind  as  another  example. 

Just  as  there  are  examples  within  the 
software  space,  there  are  examples  in  the 
business  space.  Through  hard  work, 
patience,  vision  and,  most  important,  the 
courage  to  stand  up  to  detractors  and 
quite  possibly  the  masses  over  issues  one 
believes  in  will  prevail  in  the  end.  Oh, 
and  one  last  thing  is  needed:  a  healthy 
dose  of  optimism  to  keep  the  positive 
attitude  when  you’re  weary  from  dodg¬ 
ing  all  the  bullets  being  fired  at  you.  A 
positive  attitude  is  infectious  and  a  pre¬ 
requisite  for  success. 

The  day  an  individual  cannot  make  a 
difference  is  the  day  the  American  dream 
dies.  America  has  been  the  land  of  oppor¬ 
tunity  since  its  inception.  We  face  com¬ 
plex  challenges,  but  they  can  be  overcome. 
It  all  starts  with  an  individual  believing  it 
can  be  done. 

Ken  Burbary 

Vice  President  and  Software  Architect 
Campbell-Ewald 
kburbary@campbell-ewald.com 

HOW  TO  ADD  VALUE 

Lester  Thurow’s  comment  that  we  are 
moving  toward  a  harsher  form  of  capi¬ 
talism  (“We  Can  Shape  the  Global 
Economy,”  Dec.  15,  2003/Jan.  1,  2004) 
is  consistent  with  conversations  we  are 
having  at  my  company.  Many  of  the 
ways  in  which  we  used  to  add  value  no 
longer  work.  Much  of  this  change  boils 
down  to  a  simple  paradigm  shift:  For 
routine  work,  it  is  now  cheaper  to  move 
the  work  than  it  is  to  move  the  work¬ 
ers,  and  geography  becomes  secondary. 

Consequently,  the  work  where  we  can 
add  value  is  much  more  difficult  than 


what  we  we’re  used  to.  We  strain  to  make 
things  happen.  A  leader  of  one  of  our 
integration  projects  yesterday  complained 
that  we  were  on  uncharted  ground,  where 
none  of  our  existing  process  approaches 
worked. 

My  response  was  that  if  the  project 
were  easy,  we  already  would  have  mech¬ 
anized  or  outsourced  it.  By  doing  some- 
tiling  no  one  has  done  before,  we  improve 
our  chances  of  adding  value. 

It  is  good  for  the  rest  of  the  world  that 
this  is  happening.  We  should  welcome 
the  change,  however  hard  it  may  be.  We 
can  make  a  difference  by  continually  ask¬ 
ing,  How  do  we  add  value  now? 

One  way  is  by  anticipating  partner 
needs  better  than  we  do  today.  I  find  that 
the  imagination  of  our  partners  no  longer 
keeps  up  with  what  is  possible,  and  just 
delivering  what  is  asked  no  longer  brings 
the  value  it  once  did.  Doing  merely  what 
is  asked  leaves  us  behind.  We  need  to  help 
our  partners  stretch  their  imaginations. 
To  do  so,  we  must  understand  their  work 
as  well  as  we  understand  our  own — and 
that  is  hard. 

But  deciding  to  do  this  hard  work  is 
within  my  control.  We  are  not  without 
options.  We  can  make  a  difference. 

David  Lominac 

Manager,  IT  Strategy 

PREDICTING  TATA’S  FUTURE 

Your  article  on  “The  Future  of  Jobs  and 
Innovation”  (Dec.  15, 2003/Jan.  1,  2004) 
touched  many  sensitivities  of  the  IT  com¬ 
munity  and  was  almost  personal  to  me. 

I  am  a  firm  believer  in  Scenario  One, 
although  ironic  exaggerations  of  Sce¬ 
nario  Two  may  be  less  foreign  than  one 
might  think. 

You  write,  “It’s  2010.  Tata  Consul¬ 
tancy  Services  (TCS)  has  made  New 
York  City  its  de  facto  worldwide  head¬ 
quarters  and  opened  more  than  100 
satellite  offices  around  the  country.  No 
longer  simply  a  provider  of  lower-level 
application  development  and  mainte¬ 
nance  work  based  in  Mumbai,  India, 


Tata  now  provides  high-level  consulting 
and  business  process  improvement,  over¬ 
taking  IBM  Global  Services  as  the  lead¬ 
ing  IT  services  provider  in  the  States — and 
the  world.  The  company  has  hired  a 
recent  Nobel  Prize  winner  to  head  up  its 
burgeoning  R&D  business,  and  rumor 
has  it  that  a  recently  out-of-work  Sam 
Palmisano,  formerly  CEO  of  IBM,  was 
sniffing  around  for  a  position  there.” 

What  you  write  is  not  far  from  reality: 

1.  TCS’s  announced  strategy  to  become 
one  of  the  “Global  Top  10  in  software 
development,  systems  integration  and 
high-level  consulting  and  business  process 
improvement”  is  my  area  of  responsibility. 

2.  TCS  already  has  50  offices  and  nine 
development  centers  in  the  United  States 
and  Canada,  and  149  offices  worldwide. 
TCS  indeed  creates  U.S.  jobs,  often  in 
depressed  areas. 

3.  Recently,  I’ve  sent  congratulatory 
notes  to  my  former  immediate  boss  and 
mentor  on  his  2003  Nobel  Prize  (not 
related  to  TCS’s  scope). 

So  I  hope  your  strikingly  clear  vision 
for  the  future  of  innovation  will  be  real¬ 
ized  with  sustained  U.S.  thought  and 
technology  leadership,  which,  of  course, 
is  a  result  of  American  motivation, 
investment  and  freedom. 

A.  Altshuler 

Vice  President,  TCS  America 
Financial  Services  Strategy  Practice 
a.altsbuler@usa-tcs.com 

CORRECTION 

A  story  in  the  Jan.  15,  2004,  Trendlines 
section,  “Science  Fair  Grows  Up,”  mis¬ 
spelled  the  name  of  a  university  student 
competition  started  by  the  University  of 
Texas.  It  is  called  the  Idea  to  Product 
competition. 


What  Do  You  Think? 


Send  your  thoughts  and  feedback  to 
letters@cio.com  Letters  may  be  edited  for 
length  or  clarity.  For  a  link  to  the  articles 
mentioned,  go  to  www.cio.com/printlinks 

cio.com 


16  CIO  APRIL  1,  2004  •  www.cio.com 


EMC  INFORMATION  LIFECYCLE  MANAGEMENT  STRATEGIES: 


O  V  E  R  V 


E 


W 


Advertising  Supplement 


INFORMATION 
LIFECYCLE 
MANAGEMENT  IS: 

a  strategy  that  uses 
people,  processes  and 
technology  to  store  and 
tap  critical  business 
data  throughout  its 
lifespan  of  value. 


IN  THIS  EDITION: 

Pressured  to  better 
manage  information 
assets,  companies  today 
need  an  overarching 
plan  to  prioritize  busi¬ 
ness  information  based 
on  its  value  to  the 
enterprise.  Many  are 
turning  to  a  new  con¬ 
cept  called  Information 
Lifecycle  Management 
as  an  innovative,  end- 
to-end  solution. 


Making  the  Case  for 
Information  Lifecycle  Management 


MAKE  NO  MISTAKE:  using  information 
wisely  can  make  or  break  your  company. 

Once  a  supporting  player  in  the 
creation  of  goods  and  services,  infor¬ 
mation  today  is  the  star  of  the  show, 
acting  as  the  linchpin  to  success  for 
enterprises  worldwide.  And  as  the 
latest  business  applications  provide 
new  methods  of  organizing  and 
managing  information,  innovative 
companies  worldwide  have  placed 
the  strategic  use  of  information  at 
the  heart  of  their  business  models. 
These  companies  realize  that  if  man¬ 
aged  wisely,  corporate  information 
can  yield  rich  nuggets  of  insight  to 
help  them  create  additional  revenue 
streams  and  enhance  existing  lines  of 
business. 


“The  ability  to  use  and  leverage 
information  as  a  company  to  drive 
additional  business  is  critical,”  says 
Mark  Lewis,  chief  technology  officer 
at  EMC,  based  in  Hopkinton,  Mass. 
“For  many  companies,  smart  use  of 
information  has  truly  become  a  dif¬ 
ferentiator,  particularly  as  technolo¬ 
gy  provides  companywide  access.” 

But  knowing  that  information  is  a 
vital  strategic  tool  and  being  able  to 
fully  wield  that  tool  are  two  different 
things.  Business  leaders  may  realize 
that  they  are  sitting  on  a  gold  mine 
of  knowledge,  but  they  remain  frus¬ 
trated  by  their  inability  to  harness 
the  power  of  information.  For  many, 
the  solution  is  taking  the  form  of 
Information  Lifecycle  Management. 


EMC  INFORMATION  LIFECYCLE  MANAGEMENT  STRATEGIES: 


Advertising  Supplement 


Managing 
information  wisely 
means  finding  a 
way  to  link  and 
analyze  the 
data  that  lies  in 
disparate 

applications  across 
the  enterprise. 

“Information 
is  much  more 
interrelated, 
and  people 
are  more 
interested 
in  that 

interrelation.” 

—Ron  Williams, 
senior  manager  at 
Earthlink 


CHALLENGES  TO  INFORMATION 
MANAGEMENT 

There  are  a  number  of  obstacles  in  the 
path  of  executives  who  seek  to  create  and 
exploit  an  integrated  flow  of  information 
throughout  their  companies.  Among  the 
challenges: 

Explosive  Information  Growth.  The  vast 
majority  of  business  information  is  online 
now,  fueling  explosive  growth  in  the  infra¬ 
structure  that  supports  it.  “I’m  constantly 
hearing  about  how  much  information  is 
growing  as  IT  is  integrated  into  the  business 
process,”  says  Mike  Fisch,  director  of  stor¬ 
age  and  networks  at  The  Clipper  Group,  a 
consultancy  based  in  Wellesley,  Mass.  Data 
reside  in  a  variety  of  formats — the  unstruc¬ 
tured  data  found  in  emails  and  Word  files, 
the  structured  information  of  databases  and 
transactional  applications — but  tying 
together  these  disparate  sources  of  informa- 


SEVEN  DEADLY  SPEEDBUMPS 

Here  are  the  top  7  challenges  to  effective 
information  management: 

•  Explosive  Information  Growth 

•  Cost  Constraints 

•  Information’s  Strategic  Value 

•  Perceived  Strategic  Value 

•  Regulatory  Issues 

•  Fluid  Nature  of  Information 

•  Perceived  Business  Value 


GROWTH  STORAGE  CAPACITY 
FOR  COMPLIANT  RECORDS 

The  capacity  of  compliant  records  will  increase 
from  376PB  in  2003  to  1 ,644PB  in  2006, 
representing  a  CAGR  of  64% 


Total  Aggregate  capacity  of  Compliant  records 

SOURCE:  ENTERPRISE  STORAGE  GROUP, 
COMPLIANCE  STUDY,  MAY  2003 


The  need  to  meet  compliance  requirements  will 
continue  to  grow,  requiring  methodologies  and 
technologies  to  understand  the  value  of  infor¬ 
mation  and  how  to  manage  it  accordingly. 

tion  is  a  complex  challenge.  “Information  is 
much  more  interrelated,  and  people  are 
more  interested  in  that  interrelation,”  says 
Ron  Williams,  a  senior  manager  at 
Earthlink,  a  $1.3  billion  Internet  services 
provider  based  in  Atlanta. 

What’s  more,  the  growth  of  electronic 
data  has  spawned  a  whole  new  category 
of  metadata:  information  about  the  data 
itself,  such  as  who  created  it,  who 
accessed  it,  where  it’s  been  and  who’s 
changed  it.  “It’s  an  exponential  feedback 
loop,”  says  Williams. 

Cost  Constraints.  Face  it:  companies 
have  the  difficult  task  of  growing  their 
informational  infrastructure  in  a  frugal  cli- 


WORLDWIDE  PRODUCTION  OF  ORIGINAL  INFORMATION 

(If  stored  digitally,  in  terabytes  circa  2002) 


Storage  Medium 

2002 

Terabytes 

Upper 

Estimate 

2002 

Terabytes 

Lower 

Estimate 

1999-2000 

Upper 

Estimate 

1999-2000 

Lower 

Estimate 

%  Change 
Upper 
Estimates 

Paper 

1,634 

327 

1,200 

240 

36% 

Film 

420,254 

76,69 

431,690 

58,209 

-3% 

Magnetic 

4,999,230 

3,416,230 

2,779,760 

2,073,760 

80% 

Optical 

103 

51 

81 

29 

28% 

TOTAL: 

5,421,221 

3,416,281 

3,212,731 

2,132,238 

69% 

Upper  estimates  assume  information  is  digitally  scanned,  lower  estimates  assume  digital  content  has  been  compressed. 

SOURCE:  “HOW  MUCH  INFORMATION?  2003,”  SCHOOL  OF  INFORMATION  MANAGEMENT  AND  SYSTEMS,  UNIVERSITY  OF  CALIFORNIA  AT  BERKELEY 


2 


Advertising  Supplement 


mate.  Budgets  are  flat  or  rising  just  slightly, 
and  CIOs  are  under  severe  pressure  to  drive 
every  possible  penny  from  their  spending 
plans.  “The  ability  to  manage  data  costs  is 
super  critical,”  Williams  says.  Merely  plan¬ 
ning  for  growth  can  take  up  a  hefty  chunk 
of  technical  resources. 

Information’s  Strategic  Value.  Cost  and 
planning  issues  will  not  stem  the  relentless 
demand  for  better  access  to  information. 
Businesses  have  grasped  the  undeniable 
strategic  value  of  information  and  want 
that  knowledge  available  in  a  seamless 
fashion.  Bottom  line:  the  access,  availabili¬ 
ty  and  protection  of  mission-critical  infor¬ 
mation  are  of  vital  importance. 

Regulatory  Issues.  New  government  reg¬ 
ulations  such  as  Sarbanes-Oxley  and  the 
Health  Information  Portability  and 
Accountability  Act  are  throwing  new  wrin¬ 
kles  into  the  management  of  data,  as  com¬ 
panies  face  the  risk  of  fines  and  legal  action 
for  noncompliance.  “Regulations  such 
as  Sarbanes-Oxley  are  driving  the  need  to 
be  able  to  prove  where  data  went  [and] 
who  accessed  it,  and  then  be  able  to  bring 
it  back  to  the  state  where  it  was  last 
accessed,”  Williams  explains. 

As  data  become  more  interrelated, 
application-specific  solutions  to  regulato¬ 
ry  compliance  won’t  get  the  job  done, 
says  Mike  Kahn,  managing  director  of 
The  Clipper  Group.  “The  problem  is 
multi-application,  as  records  can  be  in 
specific  applications  as  well  as  in  places 
like  email.” 

The  Fluid  Nature  Of  Information. 

Information  holds  different  business  values 
over  the  course  of  its  life  and  must  be  man¬ 
aged  accordingly.  This  means  that  compa¬ 
nies  need  to  create  processes  that  allow 
information  to  move  about  freely,  as  need¬ 
ed.  “Information  doesn’t  just  move  down  in 
value,”  explains  Steve  Kenniston,  a  technol¬ 
ogy  analyst  with  Enterprise  Storage  Group, 
in  Milford,  Mass.  “Policies  should  dictate 
that  data  move  up  and  down  the  storage 
food  chain  as  business  needs  dictate.” 

At  Earthlink,  for  example,  Williams  is 
building  a  tiered  storage  platform  based  on 


TOP  PROBLEMS  INFORMATION 
LIFECYCLE  MANAGEMENT  CAN 
HELP* 

Recovery 
Archive 
Backup 
Availability 
Reg  Compliance 

0  5%  10%  15%  20%  25% 

*According  to  53  U.S.  CIOs  and 
Senior  IT  Executives 

SOURCE:  EMC  RESEARCH  GROUP  FOCUS 
GROUPS  JULY-AUGUST,  ‘03 


Information  Lifecycle  Management  addresses 
many  of  the  key  challenges  Senior  IT  executives 
believe  they  will  face  in  2004. 


“CIOs  need  to 
set  up 

management 
policies  that 
align  with  the 
value  of 
information. 

Cradle  to 
grave,  it’s  a 
complex 
thing.” 


EMC  technologies.  “What  EMC  has  been 
doing  for  a  while  is  building  the  ability  to 
move  data  that  we  need  to  access  faster  to 
storage  that  can  deliver  it  faster  and  help 
migrate  information,”  he  says. 

The  Business  Value  Of  Information. 
Understanding  the  value  of  information  is 
at  the  heart  of  managing  information,  and 
that  requires  some  forethought  on  the  part 


— Steve  Kenniston, 
technology  analyst, 
Enterprise  Storage  Group 


5  ELEMENTS  OF  AN  INFORMATION  LIFECYCLE 
MANAGEMENT  STRATEGY 

According  to  industry  experts,  a  successful  Information  Lifecycle 

Management  strategy  must  be: 

•  Business-centric:  This  means  that  IT  and  business  need  to  work 
together  to  align  with  key  processes,  applications  and  business  ini¬ 
tiatives. 

•  Policy-based:  New  government  regulations  like  Sarbanes- 
Oxley  and  HIPAA  mandate  how  long  data  must  be  retained,  when 
it  may  be  deleted  and  who  has  access  to  it — all  perfect  candidates 
for  policy-driven  automation.  CIOs  should  tie  information  polices 
to  automated  tools  that  ensure  policy  enforcement. 

•  Centrally  managed:  To  provide  an  integrated  view  of  all  of  the 
business’s  information  assets,  both  structured  and  unstructured, 
Information  Lifecycle  Management  must  be  centrally  managed. 

•  Heterogeneous:  To  operate  throughout  the  entire  enterprise, 
Information  Lifecycle  Management  strategies  must  encompass  all 
types  of  platforms  and  operating  systems. 

•  Aligned  with  the  value  of  data:  A  key  aspect  of  Information 
Lifecycle  Management  is  the  ability  to  match  storage  resources  to 
the  value  of  business  data  at  any  given  point  in  time.  Once  classi¬ 
fied,  Information  Lifecycle  Management  matches  infrastructure  to 
the  value  of  the  data. 


T 


3 


EMC  INFORMATION  LIFECYCLE  MANAGEMENT  STRATEGIES:  Advertising  Supplement 


RVIE  W 


IMPLEMENTING  INFORMATION  LIFECYCLE 
MANAGEMENT 

To  understand  how  Information  Lifecycle  Management  can  work  in 
real  life,  consider  how  information  moves  through  the  supply  chain: 

•  Company  XYZ  receives  an  order  for  a  new  widget.  Immediately 
automated  tools  tag  the  data  according  to  preset,  business-driven 
data  policies,  enabling  the  company  to  track  and  manage  the  infor¬ 
mation  throughout  its  lifecycle. 

•  The  data  value  at  creation  is  high,  as  it  remains  during  order 
processing,  where  many  people  access  and  use  it  to  fill  and  ship 
product  orders. 

•  After  the  order  is  shipped,  the  informational  value  drops, 
prompting  Information  Lifecycle  Management  tools  to  automat¬ 
ically  migrate  the  data  from  a  high-performance  tier  of  storage 
to  a  lower  cost  level  that  takes  longer  to  access. 

•  However,  if  the  customer  calls  in  with  a  claim  about  a  year  into 
the  two-year  warranty,  for  example,  the  Information  Lifecycle 
Management  tools,  once  again  managed  by  value-driven  policies, 
pull  the  product  data  back  to  a  high  level  of  storage  so  that  cus¬ 
tomer  service  representatives  and  technical  personnel  can  readily 
draw  on  it. 

•  When  the  warranty  runs  out,  Information  Lifecycle  Management 
tools  recognize  the  policies  pertaining  to  the  tagged  data  and  auto¬ 
matically  delete  the  information,  thus  closing  out  the  lifecycle. 


QUESTIONS  ABOUT 
INFORMATION 
LIFECYCLE 
MANAGEMENT? 

If  you’ve  got  any  further 

questions  about 

Information  Lifecycle 

Management — and  how 

you  can  begin 

implementing  such  a 

strategy — send  them  to 

ilm_questions@emc.com. 

To  view  other 

supplements  in  this 

series,  or  to  find 

additional  Information 

Lifecycle  Management 

resources,  please  visit 

www.emc.com/ilm 


of  both  the  CIO  and  his  line  of  business 
peers.  If  companies  want  to  manage  infor¬ 
mation — and  get  it  to  where  it  needs  to  be 
in  an  automated  format — they  must  first 
analyze  and  prioritize  the  business  value 
that  underlies  the  data. 

“CIOs  need  to  set  up  management  poli¬ 
cies  that  align  with  the  value  of  informa¬ 
tion,”  agrees  Kenniston.  “Cradle  to  grave, 
it’s  a  complex  thing.” 

BUILDING  AN  INFORMATION 
LIFECYCLE  MANAGEMENT 
STRATEGY 

Information  Lifecycle  Management  is  not 
a  product  but  rather  an  innovative 
method  of  harnessing  informational 
chaos.  “Information  Lifecycle  Manage¬ 
ment  is  a  strategy,  and  one  that  encom¬ 
passes  people,  processes  and  technology,” 
says  Kenniston.  Done  right,  Information 


Lifecycle  Management  is  proactive  and 
dynamic,  and  helps  companies  plan  IT 
growth  to  match  their  anticipated  needs. 

“Information  Lifecycle  Management 
is  the  ability  to  provide  companies  with 
universal  access  to  information — the 
right  information — and  the  most  up-to- 
date  and  logical  version  across  the  enter¬ 
prise,”  says  Tanuja  Randery,  vice  president 
for  global  strategic  initiatives  at  EMC.  “If 
companies  want  to  access  and  use  infor¬ 
mation  to  their  business  advantage,  the 
only  way  they  can  do  that  is  to  have  a 
universal,  unified  approach  to  both 
viewing  and  access.” 

At  this  early  stage,  industry  experts  are 
painting  the  picture  of  what  Information 
Lifecycle  Management  looks  like. 
“Information  Lifecycle  Management  is  a 
vision,  but  it’s  also  a  practical  reality  for 
the  future,”  says  The  Clipper  Group’s 
Fisch.  [See  “5  Elements  of  an  Information 
Lifecycle  Management  Strategy,”  p.  3.] 

Yet  Information  Lifecycle  Manage¬ 
ment  is  not  something  that  can  be  imple¬ 
mented  off  the  shelf,  nor  is  it  one-size-fits- 
all.  CIOs  must  closely  examine  their  orga¬ 
nizational  needs  and  craft  a  strategy  that 
best  fits  their  company.  A  big  task,  per¬ 
haps,  but  Information  Lifecycle  Manage¬ 
ment  can — and  should — be  implemented 
in  stages  that  greatly  simplify  the  task. 
For  example,  customers  can  start  by  first 
migrating  to  an  automated  networked 
storage  environment  with  tiers  of  storage 
to  deliver  varying  price  points  and  capa¬ 
bilities,  then  implementing  data  classifica¬ 
tion  and  management  policies  for  key 
applications  such  as  enterprise  resource 
planning.  In  the  end,  by  evolving  to  an 
enterprise-wide  platform,  corporations 
can  manage  corporate  information  across 
the  entire  enterprise. 


FOR  MORE  INFORMATION 

where  information  lives  Visit  WWW.efTIC.COm/ilm 

for  an  in-depth  look  at  Information  Lifecycle 
Management  products,  services  and  strategies. 


4 


CIO  ENTERPRISE 
VALUE  AWARDS' 


The  Resource  for 
Information  Executives 


As  an  executive  who  has  built  or  utilized  an  IT  system  that 
delivers  both  demonstrable  ROI  and  strategic  value  to  your 
organization,  you  deserve  recognition  and  praise. 

Now  in  its  13th  year,  the  CIO  Enterprise  Value  Award  will 
bring  you,  your  company  and  your  IT  organization  the 
industry  prestige  you  deserve. 


Download  the  application 
from  our  website  at 

www.cio.com/eva 

or  contact  us 
at  (888)  455-4646. 

Deadline  for  entry: 

May  1,2004 


The  Resource  for  Information  Executives 


President  and  CEO  Walter  Manninen 
Publisher  Gary  J.  Beach 

Editorial  Director  Lew  McCreary 

EDITORIAL 

Editor  in  Chief  Abbie  Lundberg 
Editor  Richard  Pastore 
Managing  Editor  David  Rosenbaum 
Managing  Editor,  Production  Cheryl  R,  Asselin 

Executive  Editors  Alison  Bass,  Michael  Goldberg, 
Christopher  Koch 

Leadership  and  Management  Editor  Edward  Prewitt, 
Opinion  and  Knowledge  Management  Editor  Megan 
Santosus.  Research  Editor  Lorraine  Cosgrove  Ware, 
Special  Projects  Editor  Mindy  Blodgett,  Technology 
Editor  Christopher  Lindquist 

Senior  Editors  Scott  Berinato,  Todd  Datz, 

Alice  Dragoon,  Elana  Varon 

Senior  Writers  Meridith  Levinson,  Stephanie  Overby, 

Ben  Worthen 

Copy  Chief  Tom  Wailgum 

Asst.  Managing  Editor,  Production  Kathleen  S.  Carr 

Senior  Copy  Editor  Emily  S.  Henderson 

Copy  Editor  Sarah  Johnson 

Special  Projects  Manager  Lynne  Z.  Rigolini 

Editorial  Resource  Manager  Carol  Zarrow 

Editorial  Assistant  Daniel  J.  Horgan 

Editorial  Operations  Specialist  Julie  Hanson 

Contributors  Marcia  Bohannon,  Susan  H.  Cramm,  Alan 
R.  Earls,  Meg  Mitchell  Moore,  Howard  Rubin,  Sarah  D. 
Scalet,  Dawne  Shand,  Malcolm  Wheatley 

Research  Contributor  Sally  Chicotel 


How  to  Reach  Us 

E-mail  letters@cio.com 
Phone  508  872-0080 
Fax  508  879-7784 

Address  CIO  Magazine,  CXO  Media  Inc., 

492  Old  Connecticut  Path,  P.O.  Box  9208, 

Framingham,  MA  01701-9208 

Website  www.cio.com 

Topic  Experts  www.cio.com/online_beats2.html 

Subscriber  Services  866  354-1125,  Fax  847  564-9453, 
E-mail  cio@omeda.com 

Reprint  Services  Jackie  Day  •  651  582-3856, 

E-mail  cioreprints@rsicopyright.com  (500  quantity  or  more) 

Rights  and  Permission  Andrew  Burrell  •  508  935-4785, 
E-mail  aburrell@cio.com 


DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Director  Terri  Haas 

Associate  Art  Directors  Owen  Edwards,  George  Lee 

Senior  Designer  Kaajal  S.  Asher 

Design  Operations  Specialist  Rachel  Barnett 

Design  Contributors  Alberto  Capolino,  Leslie  Feagley, 
Andrea  Healy 

ONLINE  EDITORIAL 

Web  Editorial  Director  Art  Jahnke 
Consulting  Editor  Janice  Brand 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 

ONLINE  &  INFORMATION  SYSTEMS 

Chief  Information  Officer  Mark  Hall 

Online 

Senior  VP/General  Manager,  Online  Tim  Horgan 
Online  Technology  Director  Dagmar  Eiben 
Senior  Web  Developers  Diane  Chen,  Ellen  Morey 
Director  of  Online  Research  Kathleen  Kotwica 
E-Commerce  Manager  Andrew  Burrell 
Online  Producer  Shannon  Macdonald 
Online  Content  Researcher  Tara  Gillet-Liloia 
Designer  Graham  White 

Information  Systems 

Infrastructure  Manager  James  C.  Burgoyne 

User  Services  Manager  Ron  Bettencourt 

Senior  User  Services  Specialists  Jonathan  Frappier, 
Michael  Fahlsing 

System  Administrator  Robert  Reagan 

CIRCULATION 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Director  Faith  Marcello 
Subscription  Svcs.  Supervisor  Tina  Pescara 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 
Senior  Production  Coordinator  Lisa  Stevenson 

EXECUTIVE  PROGRAMS 

EP  Senior  Vice  President  Jennifer  Richards 
Conference  Management  Vice  President  Cynthia  Mollus 
Marketing  Services  Director  Shellie  Rapson  James 
Business  Development  Vice  President  John  Amato 
Business  Development  Director  John  Vulopas 
Content  Development  Manager  Lafe  Low 
Program  Operations  Manager  Brian  Fuce 
Marketing  Manager  Glede  Kabongo 
Marketing  Design  Specialist  Andrea  Slobogan 


Senior  Client  Relations  Specialist  Sandra  J.  Hughey 
Senior  Logistics  Coordinator  Michael  Barbato 
Event  Planning  Director  Amy  Turell 
Senior  Customer  Services  Coordinator  Sarah  Yee 

CIO  EXECUTIVE  COUNCIL 

General  Manager  Mark  Hall 
Director  Martha  Heller 

Director  of  External  Relations  Karen  Fogerty 
Consulting  Editor  Richard  Pastore 
Contributing  Editor  Janice  Brand 

Program  Managers  Bill  Golden,  Mindy  Hogan, 

David  Parker,  Steve  Rovniak,  Stacy  Sudan, 

Greg  Szumowski 

Operations  Assistant  Lisa  Byron 

MARKETING 

Executive  VP/Marketing  Cathy  O’Leary  Hayes 
VP/News  and  Information  Susan  Watson 
Program  Administrator  Lori  Piscatelli 
Marketing  Research  Director  Bridget  Cammarata 

Marketing  Research  Managers  Carolyn  Johnson. 
Dylan  DiGregorio 

Marketing  Comm.  Director  Sue  Yanovitch 
Sr.  Marketing  Comm.  Specialist  Sarah  Crowley 

ADMINISTRATION 

Director  of  Finance  Margarita  Chiango 
Finance  and  Operations  Analyst  Chris  Bernardi 
Executive  Assistant  to  the  President  Diane  Martin 
Billing  Administrator  Joyce  Gillis 
Facilities  Specialist  John  Kelley 
Office  Services  Coordinator  Mary  E.  Wooldridge 

HUMAN  RESOURCES 

Human  Resources  Vice  President  Patricia  Chisholm 
Human  Resources  Manager  Tanya  Bureau 
Senior  HR  Representative  Beth  S.  Ramistella 

FOUNDER 

Joseph  L.  Levy 


INTERNATIONAL  DATA  GROUP 

CEO  Pat  Kenealy 

Board  Chairman  Patrick  J.  McGovern 

WBPA 

▼  INTERNATIONAL* 

©CXO  Media  Inc, 


18  CIO  APRIL  1,  2004 


www.cio.com 


Your  IT  budgets  and  staff  have  been  slashed 


m 


w$* 


.  A'V*;  ,  vM.  , 

BP 


Fortunately  you  have  the  most  manageable 

video  conferencing  systems  in  the  world. 


(  -  ■  • 
\  - 


With  IT  resources  scarcer  than  ever,  you  need  Polycom's  integrated  video  conferencing 
systems.  They're  user  friendly,  easy  to  upgrade,  manage  and  maintain.  Deployment  is 
virtually  "plug  and  play."  And,  monitoring  and  management  is  centralized.  It  all  adds  up 
to  a  great  ROI  for  your  team  and  your  company.  Join  the  millions  of  people  worldwide  that 
already  use  Polycom  and  The  Polycom  Office!”  With  integrated  video,  voice,  data,  and 
Web  applications,  The  Polycom  Office  makes  communicating  as  natural  as  being  there. 

For  more  information  and  your  free  white  paper  "Demystifying  IP  Migration"  visit 
www.polycom.com  or  call  1-877-POLYCOM.  Ask  about  the  outstanding  new  Polycom 
VSX”  7000  -  video  conferencing  like  you’ve  never  seen  it.  Polycom.  The  time  for 
manageable  video  conferencing  is  now. 


POLYCOM 


Connect.  Any  Way  You  Want. 


©2003  Polycom,  Inc.  All  rights  reserved.  Polycom  and  the  Polycom  logo  are  registered  trademarks  and  VSX,  Polycom  Office 
and  the  SouudStation  industrial  design  are  trademarks  of  Polycom,  Inc.  in  the  U.S.  and  various  countries 


Derrick  Warren,  IBM  variable  cost  guru,  retail  industry 


Hungry  frogs  and  variable  costs 


Rana  clamitans.  The  common  green  frog?  Or  on  demand  business  case 
study?  In  a  single  summer,  this  three-inch  carnivore  devours  almost 
10,000  flies.  It’s  his  opportunity.  His  seasonal  spike.  And  he  jumps  on  it. 

Odds  are,  you  could  use  a  little  amphibious  instinct.  That  ability  to  quickly 
leap  out  of  hibernation  and  into  your  high  season.  Or  to  adjust  to  a  change 
in  supply  or  demand.  Or  customer  preference.  Or  a  new  trend.  Day  to  day, 
opportunities  change.  Needs  vary.  So  should  your  business. 

You  don’t  want  to  pay  year-round  for  resources  you  need  only  during  the 
rush.  Paying  for  what  you  need  only  when  you  need  it  is  on  demand 
business.  And  it  goes  way  beyond  IT.  It’s  about  viewing  every  bit  of  your 
cost  structure  as  potentially  variable.  Potentially  more  efficient. 

The  frog  knows:  When  the  flies  are  out,  chase  flies.  When  they  aren’t,  don’t. 

On  demand  business  starts  with  on  demand  thinking. 

We  have  180,000  experts  who  can  help  you  make  your  business  more 
variable.  With  the  business  expertise  to  see  possibilities  and  the 
IT  capabilities  to  deliver  on  them,  IBM  can  bring  more  flexibility  to  your 
business,  your  technology  and  your  culture.  On  demand  business. 

Get  there  with  on  demand  people.  Call  800  IBM  7080  (ask  for  thinking) 
or  visit  ibm.com/services/thinking 

Can  you  see  it? 


VI  and  the  IBM  logo  are  trademarks  or  registered  trademarks  of  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  ©2004  IBM  Corp.  All  rights  reserved. 


PROJECT  MANAGEMENT 

Why  Brit  Health 
Project  Does 
Everything  Twice 


BRITAIN’S  NATIONAL  HEALTH  SERVICE  in 

recent  months  has  been  awarding  con¬ 
tracts  for  a  major  IT  project:  creating  a 
database  of  electronic  patient  records  that 
will  include  every  citizen  in  England.  As 
with  any  billion-dollar  project,  there’s 
intense  interest  about  the  expected  costs 
and  benefits.  But  there’s  an  added  wrinkle 
here  in  that  the  contractors  are  organized 
so  that  they  are  building  duplicate  IT  sys¬ 
tems  all  over  the  country.  If  one  contrac¬ 
tor’s  records  system  fails,  the  logic  goes, 
the  others  will  be  in  a  position  to  pick  up 
the  pieces. 

The  contracts  total  $10.3  billion  over 
10  years  and  concern  just  England  (decen¬ 


tralized  Wales  and 
Scotland  have  their 
own  plans).  The  project 
is  possible  because  the 
tax-subsidized  British  health 
system  puts  30,000  doctors’ 
surgeries  and  270  regional  hos¬ 
pital  trusts  covering  50  million 
patients  under  a  single  manage¬ 
ment.  Advocates  of  computerization 
point  to  lower  costs,  the  fact  that 
patients’  care  notes  can  stay  with  them 
for  life  and  improved  medical  treatments 
from  automated  analysis  of  medical 
records. 

If  that  sounds  straightforward,  the 


'  WmrMM 


w 


IF  SCORES  FOR  patent  awards  to  universities  were 
like  college  football,  there  would  be  calls  to  break  up  the 
Golden  Bears,  the  Bruins  and  the  Banana  Slugs. 

For  the  10th  straight  year,  the  University  of  California  system 
received  the  most  patents  of  any  university  in  2003,  according  to  the 
U.S.  Patent  and  Trademark  Office.  A  preliminary  review  says  the  university, 
which  has  10  campuses  and  manages  three  national  laboratories  for  the  Depart¬ 
ment  of  Energy,  received  439  patents  last  year.  The  California  Institute  of  Technology 
came  in  second  with  139  patents.  MIT  (127),  the  University  of  Texas  (96),  Stanford  Univer¬ 
sity  (85)  and  the  University  of  Wisconsin  (84)  rounded  out  the  top  six. 

Among  the  inventions  in  biotechnology,  electrical  engineering,  computer  science  and 
other  fields  is  Patent  No.  6,670,578,  awarded  Dec.  30,  to  Lloyd  A.  Hackel,  John  M.  Halpin 
and  Fritz  B.  Harris,  for  a  technique  called  laser  peening  that  reshapes  and  gives  specific 
contours  to  a  piece  of  metal  while  strengthening  it. 

Take  that  to  the  Rose  Bowl. 


attractions  of  the  contract  award  process 
are  less  obvious.  Richard  Granger,  the 
director  general  of  National  Health  Ser¬ 
vice  IT  and  former  Deloitte  Consulting 
lead  client  service  partner,  is  the  first  to 
hold  this  title  that  makes  him,  essentially, 
health  service  IT  supremo.  Granger  has 
led  this  process  that  divides  the  computer¬ 
ization  task  into  a  series  of  subcontracts. 
Prime  contractor  BT  will  manage  the 
project  and  supply  the  central  database 
and  network,  while  other  regional  con¬ 
tracts  to  computerize  hospital  and  surger¬ 
ies  have  gone  to  a  range  of  companies 
including  Accenture,  CSC  and  Fujitsu. 
(One  notable  absentee:  EDS,  which  was 
widely  viewed  as  responsible  for  a  tax  sys¬ 
tem  foul-up  that  was  the  subject  of  a  Par- 
Continued  on  Page  24 


22  CIO  APRIL  1,  2004 


www.cio.com 


PHOTO-ILLUSTRATIONS  BY  STEPHEN  WEBSTER 


SAS,  the  leader  in  business  intelligence  software,  challenges 


fcyfn i  !  r\ 

up 

0  (  ri 

,  o  \ 

rn  :«l  A 

mlb  (  :uL 

<  j  \  j  y  i  i ms  H&fb 

N — / 

j  4 j jk 

X-  ■■ 

jh  -  |IB  Uk  a 

yMKijiiTn 

Isfcl  i  Ihl  i[^ 

ginm 

I  |[IV 

111  1  rjnT7?TT^71 

lomii 

I  *  I  ^ 

ijV 

f  r  ■  I  1  1  i  i  T 

ENTERPRISE  INTELLIGENCE 

SUPPLIER  INTELLIGENCE 

ORGANIZATIONAL  INTELLIGENCE 

CUSTOMER  INTELLIGENCE 

INTELLIGENCE  ARCHITECTURE 


With  Sarbanes-Oxley  compliance  deadlines  less  than  a  year  away,  there  is  an  urgency  to  deliver 
financial  and  operational  transparency  -  one  clean,  consolidated  and  truthful  version  of  data  for  all 
your  disclosure  controls  and  procedures.  SASR  Corporate  Compliance  software  provides  auditable, 
searchable  process  and  document  control  solutions.  So  you  can  prepare  now,  while  creating  a  system 
that  won’t  be  outdated  when  the  next  new  legislation  is  enacted.  Our  intuitive  interfaces  are  designed 
for  users  of  any  skill  level  -  with  a  central  point  of  control  to  manage  across  all  environments  -  and 
an  open,  adaptable  architecture.  To  find  out  more  about  how  to  confidently  comply  with  Sarbanes-Oxley, 
including  Section  404,  call  us  toll  free  at  1  866  270  5729  or  visit  our  Web  site. 

www.sas.com/sox 


Register  now  for  our  upcoming 
Webcast  on  compliance. 


www.sas.com/compliancesuccess 


Wednesday,  April  28, 2-3  p.m.  ET 


The  Power  to  Know* 


sas 


SAS  and  all  other  SAS  Institute  Inc.  product  or  service  names  are  registered  trademarks  or  trademarks  of  SAS  Institute  Inc.  in  the  USA  and  other  countries.  ®  indicates  USA  registration. 
Other  brand  and  product  names  are  trademarks  of  their  respective  companies.  ©  2004  SAS  Institute  Inc.  All  rights  reserved.  272712US.0304 


trendlines 


SECURITY 

Phishing 

Pollutes 

E-Mail 

Stream 

“RECENTLY  OUR  CUSTOMERS  have 
reported  receiving  fraudulent  e-mails  that 
appear  to  be  from  Bank  One,"  begins  one 
e-mail  that  sure  looks  like  it's  from  Bank 
One.  “Please  log  in  and  learn  more  about 
what's  happening  and  how  to  protect 
yourself.” 

It  sounds  convincing  enough.  But 
recipients  who  follow  the  link  will  betaken 
not  to  Bank  One’s  website  but  to  a  look-alike 
set  up  to  gather  user  names  and  passwords. 
It's  the  latest  kind  of  Internet  scam, 
one  that’s  known  as  “phishing. 

"They’re  fishing  for 
passwords,"  explains 
Dave  Jevans,  chair¬ 
man  of  the  newly 
formed  Anti- 
Phishing  Working 
Group.  Jevans,  a 
senior  marketing 
vice  president  at 
e-mail  security 
vendor  Tumble¬ 
weed  Communica¬ 
tions,  notes  that 
hackers  have  been 
using  "ph"  instead  of  “f” 
since  the  days  of  “phone 
phreaking”  in  the  1970s. 

"They’re  out  there  casting  a  wide  net 
and  pulling  in  a  smaller  number  offish.” 

Some  of  the  scams,  which  are  docu¬ 
mented  at  www.antiphishing.org,  can  be 
easily  identified  by  their  misspelled  words 
or  bizarre  claims.  Others  are  more 
sophisticated.  Graphics  and  wording 
are  copied  straight  from  official 


company  correspondence  and  websites. 
And  not  only  do  Internet  users  have  to  be 
leery  of  where  an  e-mail  appears  to  come 
from,  but  it's  also  getting  harder  to  identify 
bogus  URLs.  A  recently  discovered  bug  in 
Microsoft  Internet  Explorer  allows  fraud¬ 
sters  to  blank  out  portions  of  Web 
addresses,  making  phony  URLs  appear 
legitimate,  Jevans  says.  What’s  more,  his 
group  estimates  that  it  takes  law  enforce¬ 
ment  an  average  of  160  hours  to  shut  down 
a  fraudulent  website  when  it’s  hosted 
outside  the  United  States  (of  which  40 
percent  are).  By  that  time,  about  5  percent 
of  a  company’s  customers  who  have 
received  the  e-mail  may  have  fallen  forthe 
scam.  The  result?  A  nightmare  of  password 
changes  or  fraudulent  transactions. 

Although  the  scams  are  impossible  to 
prevent,  CIOs  can  take  steps  to  mitigate 
the  damage,  says  Howard  Schmidt,  former 
vice  chairman  of  President  Bush’s  Critical 
Infrastructure  Protection  Board,  who  is 
now  CISO  of  eBay.  “Those  [e-mails]  are 
most  easily  defeated  by  two  things:  making 
sure  that  online  users  of  your  product 
are  educated  that  these  things 
are  oftentimes  fraudulent, 
and  encouraging  them  not 
to  click  on  the  link  in  the 
e-mail  but  to  actually 
go  to  the  [company's 
authentic]  site,” 
Schmidt  says. 

Companies  also 
need  to  remind 
customers  that  they 
will  never  ask  via 
e-mail  for 
personal 
information— 
and  make  sure 
employees  who  corre¬ 
spond  with  customers  keep  that 
promise.  Finally,  CIOs  should 
have  processes  in  place  to 
collect  customer  complaints 
about  spoofing  and  pass  them 
on  to  law  enforcement.  In  other 
words,  you’ve  gotta  try  to  keep 
the  phisher  from  recasting 
his  net.  -Sarah  D.  Scalet 


U.K.  Project 

Continued  from  Page  22 

liamentary  inquiry  in  2003.) 

Each  contractor’s  job  is  to  install 
virtually  identical  electronic  patient 
records  systems  in  Brighton,  Bristol, 
Birmingham  and  hundreds  of  other 
cities  across  England.  While  it  might 
seem  inefficient,  this  duplication  is 
rife — by  design.  “The  approach  is 
radically  different  to  anything  we’ve 
seen  before,”  says  Tola  Sargeant,  an 
analyst  with  Ovum.  “By  splitting  the 
project  into  five  regions,  the  idea  is 
to  promote  competition.”  Should 
one  vendor  fall  down,  others  will  be 
vying  for  the  work — and  be  well- 
placed  to  quickly  take  it  on. 

But  despite  the  hoopla,  electronic 
patient  care  records  aren’t  new,  hav¬ 
ing  first  surfaced  in  a  government 
strategy  document  in  1998.  Many 
hospitals  had  already  taken  the 
plunge,  and  others  were  about  to. 
“We’ve  had  to  demonstrate  that  our 
patient  care  record  project  was  in 
compliance  with  the  national  guide¬ 
lines,”  says  Mark  Bostock,  IT  busi¬ 
ness  development  manager  at  the 
Lancashire  Teaching  Hospital  NHS 
Trust.  While  the  Lancashire  project 
passed  muster,  many  other  soon-to- 
start  projects  didn’t,  he  explains. 

Despite  Europe’s  reputation  for 
strict  privacy  laws,  privacy  issues 
haven’t  dominated  the  project,  notes 
Ray  Jackson,  managing  director  of 
Solcara,  a  company  involved  in 
de-identifying  patient  records  for  the 
health  service.  When  transmitting 
patient  records  externally,  the  strat¬ 
egy  is  to  strip  out  names  and 
addresses,  and  rely  on  the  unique 
health-service  number  issued  to 
every  citizen.  But  that  won’t  take 
care  of  confidential  information  held 
in  free-text  fields,  such  as  doctors’ 
notes,  warns  Jackson.  So  far,  having 
been  long  accustomed  to  regular 
newspaper  reports  of  patient  records 
turning  up  in  Dumpsters,  British  citi¬ 
zens  seem  unfazed. 

-Malcolm  Wheatley 


2  4  CIO  APRIL  1,  2004 


www.cio.com 


PHOTO  ILLUSTRATION  BY  STEPHEN  WEBSTER 


-  DIGITAL 


IMAGER 


o 

#0.0 
Zo  o 

lO  o 

o  o 


SCA/V  SP€EDS* 


3S  i 


18  t 


US  % 


C.OM?gTi  TlON  JHARPAR-mSSO 


Productiu'T^ 

RELIABILITY 


i/vput 


Double  your  productivity  with  Scan2  technology. 


#The  best  way  to  stay  ahead 
is  to  double  your  productivity. 
SCan2  Introducing  Scan2  technology 
from  Sharp.  Sharp's  Digital  Imagers  with  Scan2 
technology  are  designed  to  scan  two-sided 
documents  in  a  single  pass. 

Now  all  of  your  training  manuals  and  white 
papers  can  be  scanned,  copied,  emailed  and 
digitally  distributed  quicker  than  ever  before. 


In  fact,  it's  115%  faster  than  any  other  product 
in  its  class.  Not  only  is  it  like  having  double  the 
help,  it  will  also  allow  you  to  accomplish  more 
in  dramatically  less  time.  Together  with  Sharp's 
integrated  network  management  software 
and  security  features,  your  digital  information 
is  safe  and  workflow  is  fully  optimized. 

Visit  sharpusa.com/scan2  or  call  1-800-BE- 
SHARP  for  more  information. 


The  AR-M550,  AR-M620  and  AR-M700: 

.  Operate  at  55, 62  and  70  pages-per-minute 
.  Fully  integrated  network  ready  digital 
copier/printers 

.  Include  network  management  software 
and  document  filing  capability 

.  be  sharp 


*  Results  of  Buyers  Laboratory  Inc.  Document  Feeding  Speed  tests  (originals  per  minute)  in  2:2  mode  for  Sharp  AR-M550  vs.  the  following  manufacturers'  competitive  models:  Canon  iR  5000  and  5020,  HP  9055  MFP,  Konica 
7155,  Kyocera  Mita  KM-5530,  Ricoh  Aficio  1055  and  551,  and  Toshiba  e-STUDIO  550.  ©2003  Sharp  Corporation 


trendlines 


Off  the  Shelf 


Edited  by  Carol  Zarrow 


Reputation  Protection 

In  an  era  of  companies  behaving  badly,  a  good  reputation  can  be 
worth  its  weight  in  gold.  These  books  reveal  how  to  keep  your 
company's  reputation  bright. 


The  18  Immutable  Laws  of 
Corporate  Reputation:  Creating, 
Protecting  and  Repairing  Your 
Most  Valuable  Asset 

By  Ronald  J.  Alsop 
Free  Press,  2004,  $26 


shouldn’t  just  happen, 
according  to  Ronald  J. 
Alsop,  who  covers  cor¬ 
porate  branding  and  rep¬ 
utation  for  The  Wall  Street 
Journal.  With  the  Internet 
providing  both  a  means  of 
evermore  intense  scrutiny  and  a 
machine  for  instantaneous  rumors 
to  spread  globally,  the  need  is 


An  ABC  About 
Corporate  Reputation 


A  Absolute  Honesty:  Building  a  Corporate 
Culture  That  Values  Straight  Talk  and 
i  Rewards  Integrity 

By  Larry  Johnson  and  Bob  Phillips 
Amacom,  2003 


“Nothing  occurs  in  a  vacuum.  When  [a  com¬ 
pany’s]  culture  authorizes  aberrant  behavior, 
aberrant  behavior  becomes  the  norm,  and  a 
culture  of  integrity  ceases  to  exist.” 


A  CORPORATION’S  REPUTATION, 

built  through  years  of  effort,  is  far  too 
important  to  be  left  to  the  whims  of  public 
opinion  and  rumor.  Reputations  don’t  and  greater  than  ever  for  CEOs,  CIOs  and  other 

corporate  leaders  to  nurture  and  re¬ 
inforce  their  company’s  reputations.  In 
The  18  Immutable  Laws  of  Corporate 
Reputation ,  Alsop  provides  interesting 
and  useful  insights  into  how  some 
notable  companies  do  just  that. 

A  company’s  stakeholders  play  an 
important  role  in  creating  its  public 
face,  Alsop  says,  but  other  factors — 
some  quantifiable,  some  not — also 
come  into  play:  For  example,  is  the 
company  socially  responsible?  Does 
it  perform  well  financially?  In  the 
light  of  recent  company  scandals  and 
executive  shenanigans,  Alsop’s  book 
is  nothing  if  not  a  timely  reminder 
that  corporate  America  is  capable  of 
doing  better. 

Most  of  the  “immutable  laws”  that 
Alsop  puts  forth  are  (or  should  be) 
common  sense:  Be  a  good  corporate 
citizen;  establish  a  strong  vision;  cre¬ 
ate  an  emotional  connection;  avoid 
defensiveness.  Nothing  earth-shatter¬ 
ing  there.  The  special  contribution  of 
1 8  Immutable  Laws  is  that  the  author 
reinforces  his  arguments  with  exam¬ 
ples  from  companies  such  as  FedEx 
and  DuPont  that  are  serious  about 
their  reputations.  Some  of  these  ideas 
are  intriguing,  such  as  that  companies 
should  consider  creating  the  position 


B  Building  Reputational  Capital:  Strategies  for 
Integrity  and  Fair  Play  That  Improve  the 
Bottom  Line 

By  Kevin  T.  Jackson 
Oxford  University  Press,  2004 


“Companies  that  operate  ethically,  that  safe¬ 
guard  and  cultivate  their  reputations,  gain  a 
competitive  edge  over  rivals  that  don’t.” 


CThe  Cheating  Culture:  Why  More  Americans 
Are  Doing  Wrong  to  Get  Ahead 

By  David  Callahan 
Harcourt,  2004 


"Americans  are  not  only  cheating  more  in  many 
areas  but  are  also  feeling  less  guilty  about  it. 
When  ‘everybody  does  it,’  or  imagines  that 
everybody  does  it,  a  cheating  culture  has 
erherged.  But  why  all  the  cheating  and  why  now?” 


CIO  Best-Seller  List 


The  Real  Thing:  Truth  and  Power 
at  the  Coca-Cola  Company 

By  Constance  L.  Hays 
Random  House,  2004 

How  to  Change  the  World:  Social  Entrepre¬ 
neurs  and  the  Power  of  New  Ideas 

By  David  Bornstein 
Oxford  University  Press,  2004 

Women  Don’t  Ask:  Negotiation 
and  the  Gender  Divide 

By  Linda  Babcock  and  Sara  Laschever 
Princeton  University  Press,  2003 

The  Great  Unraveling: 

Losing  Our  Way  in  the  New  Century 

By  Paul  Krugman 
W.W.  Norton,  2003 

Good  to  Great:  Why  Some  Companies 
Make  the  Leap.. .and  Others  Don't 

By  Jim  Collins 

HarperCollins  Publishers,  2001 

SOURCE:  March  1,  2004,  data,  compiled  by  WordsWorth 
Books,  Cambridge,  Mass. 

of  “chief  reputation  officer”  or  conducting 
crisis-simulation  drills  and  having  a  contin¬ 
gency  plan  in  the  event  of  a  reputation¬ 
damaging  incident. 

In  the  long  run,  however,  Alsop  admits 
that  even  extraordinary  measures  such  as 
these  won’t  always  be  effective — and  they 
won’t  be  effective  at  all,  he  asserts,  unless 
every  employee  in  a  company  accepts  his 
individual  responsibility  for  maintaining  his 
employer’s  reputation.  One  of  the  biggest 
reputation  killers,  as  Home  Depot  and 
McDonald’s  have  painfully  discovered,  is 
poor  customer  service. 

While  Alsop  concludes  that  crises  are 
inevitable,  his  behind-the-scenes  details  of 
specific  crisis-management  incidents  prove 
that  they  need  not  tarnish  corporate  repu¬ 
tation  permanently.  Crises  will  happen,  but 
honesty  and  contrition  are  powerful  anti¬ 
dotes.  -Megan  Santosus 


2  6  CIO  APRIL  1,  2004 


www.cio.com 


2:07PM  LOG  INTO  HOTSPOT2:08PM 
NETWORK  SECURES  THIN  AIR  2:09  PM 
TRANSMIT  FILESTHROUGH  THIN  AIR 
2:25PM  UPDATE  PURCHASE  ORDER 
2:35PM  EXPENSE  COFFEE  ORDER 

The  more  freedom  you  give  employees  to  work  anywhere,  the  more  you  can  achieve.  That's  good.  But,  at  the  same  time,  the  more  you  expose 
yourself  to  intruders  and  worms.  That's  not  so  good.  How  far  can  a  network  travel  to  protect  your  office?  Now,  the  answer  is  everywhere.  Cisco 
networks,  with  integrated  wireless  security,  protect  mobile  workers  who  constantly  move  outside  the  safety  of  the  corporate  network.  So 
information  is  secured.  No  matter  where  it  exists.  To  learn  more  about  how  Cisco  can  help  plan,  design  and  implement  your  network  security, 
visit  cisco.com/securitynow.  SELF-DEFENDING  NETWORKS  PROTECT  AGAINST  HUMAN  NATURE. 


©2004  Cisco  Systems,  Inc.  All  rights  reserved.  Cisco,  Cisco  Systems,  Cisco  IOS,  and  the  Cisco  Systems  logo  are  registered  trademarks 

or  trademarks  of  Cisco  Systems,  Inc.  and/or  its  affiliates  in  the  U.S.  and  certain  other  countries. 


The  Dow  Chemical  Company’s  archives  held  5.5  millior| 
minutes  instead  of  days,  they  turned  to  Xerox  fo: 


Learn  more:  www.xerox.com/learn  For  a  sales  rep:  1-800-ASK-XEROX  ext.  LEARI 

©  2004  XEROX  CORPORATION.  All  rights  reserved.  XEROX? The  Document  Company®  and  There's  a  new  way  to  look  at  it  are  trademarks  of  XEROX  CORPORATION. 


)ages  of  R&D.  To  help  researchers  access  them  in 
he  correct  formula.  There’s  a  new  way  to  look  at  it. 


THE  DOCUMENT  COMPANY 

XEROX 


trendlines 


p  f.  M 


Omi  M«4p  lef  In 


©IM«a«- 


WEB  APPLICATIONS 

Museum  Sends  Art 
Home  to  Customers 


FOUNDED  BY  SEA  CAPTAINS  IN  1799,  the 

Peabody  Essex  Museum  has  long  displayed 
the  rarities  brought  back  from  their  far-flung 
travels.  Now  the  recently  renovated 
museum  is  working  to  make  those  objects  of 
art  more  vivid  for  visitors — and  to  continue 
that  experience  after  they  leave. 

Like  museums  the  world  over,  the  Salem, 
Mass.,  museum  is  using  the  Web  to  con¬ 
nect  with  customers  in  an  online  digital 
gallery  called  Artscape.  The  goal  is  to 
change  how  visitors,  including  the  visually 
impaired,  explore  the  museum’s  collec¬ 
tion — among  the  nation’s  largest  at 
400,000  works  of  art,  400,000  rare  books, 
2  million  rare  photographs,  2  million  pages 
of  manuscript  and  27  historic  buildings. 
Artscape  displays  the  entire  collection 
online  and  allows  museum  visitors  to  create 
personal  online  galleries. 

Artscape  works  in  tandem  with  the 
museum’s  free  audio  tours.  Using  a  telephone 
device,  visitors  can  punch  in  the  number 
associated  with  an  object  on  display — a 
Chinese  Moon  Bed,  for  example — and  lis¬ 
ten  to  a  curator’s  overview  of  the  work. 


Insert  the  telephone  into  a  cradle  con¬ 
nected  to  a  kiosk,  and  the  kiosk  asks  the 
user  for  a  name,  password  and  e-mail 
address.  The  kiosks  download  this  infor¬ 
mation  and  create  bookmarks,  at 
www.pem.org,  of  favorite  objects. 

Later,  the  museum  sends  an  e-mail 
with  a  link  to  Artscape  so  that  the  recent 
visitor  can  browse  more  items  related  to  the 
Chinese  Moon  Bed,  such  as  a  circa  1860 
photo  called  Treasury  Street,  Canton ,  by 
Lelice  Beato. 

John  Grimes,  the  museum’s  deputy  direc¬ 
tor  of  strategic  initiatives,  says  Artscape  is 
designed  “to  help  people  engage  in  the  cre¬ 
ative  human  experience,  and  give  people 
tools  for  further  inquiry  and  access.”  Users 
also  can  search  video  and  audio  clips,  defi¬ 
nitions  and  book  excerpts. 

Sam  Quigley,  president  of  the  Museum 
Computer  Network,  says  art  museum  cura¬ 
tors  “are  aware  of  the  public  mandate  for 
easy  access  via  the  Web  to  their  collection,” 
adding  that  he  believes  roughly  two-thirds 
are  working  on  Web-related  projects  for 
exhibited  works.  Built  for  $75,000  with  an 


Artscape  is  an  online  showcase  for  items  from 
the  Peabody  Essex  Museum  collection,  like  this 
19th  century  wooden  Liberian  mask. 


Access  database,  Llash  multimedia  applica¬ 
tion  and  a  Google  search  engine,  Artscape 
enables  what  Joshua  Duhl,  a  rich  media 
analyst  at  IDC,  says  is  the  promise  of  online 
digital  access — maintain  interest  so  that  vis¬ 
itors  “get  to  hold  onto  the  experience.” 

Since  its  2003  launch,  Artscape  has 
added  details  that  museum  visitors  can’t  get. 
Its  online  exhibit  of  Thomas  Seymour  fur¬ 
niture  provides  insight  into  the  19th  century 
craftsman’s  workmanship  that  only  han¬ 
dling  the  pieces  could  provide.  (Security 
guards  object  to  such  attempts.)  A  feature 
set  to  debut  this  month  describes  objects  for 
the  visually  impaired.  -Dawne  Shand 


STORAGE 

Tale  of  the  9-Track  Tape 


FOR  A  LONG  TIME,  9-track  was  big.  Its 
distinction:  the  only  physical  media  shared 
among  most  mainframes,  minicomputers, 
workstations,  even  PCs.  CIOs  came  to  rely  on 
9-track  tapes  as  their  primary  storage  medium 
for  engineering,  military  and  government 
archives,  starting  in  the  1960s,  making  9-track 
one  of  the  most  long-lived  technologies  in 
computing  history.  The  drives,  notes  Timothy 
Shary,  assistant  professor  of  screen  studies  at 
Clark  University,  appeared  as  symbols  of 
advanced  technology  in  movies  from  Katherine 
Hepburn's  Desk  Set  (1957)  to  VZarGame s 
(1983). 

But  all  good  things  must  come  to  an  end.  In 
2001,  after  more  than  35  years  of  producing 
tapes,  Graham  Magnetics,  in  Graham,  Texas, 


stopped  shipping  new  9-track  tapes.  And  last 
September,  Qualstar,  the  last  U.S.  9-track  drive 
maker,  shipped  its  final  unit. 

Trey  Wilkins,  marketing  director  at  eMag 
Solutions,  the  parent  of  Graham,  says  in  the  10 
years  prior  to  the  retirement  of  9-track,  demand 
for  tapes  was  dropping  by  20  percent  a  year. 
Likewise,  says  Bob  Covey,  vice  president  of 
marketing  at  Simi  Valley,  Calif.-based  Qualstar, 
in  the  last  three  years,  “demand  for  new  drives 
had  effectively  fallen  to  zero." 

There  continues  to  be  a  strong  aftermarket 
for  used  and  refurbished  tape  and  equipment. 
But  Covey  says  Qualstar’s  focus  is  now  on 
newer  tape  formats,  such  as  DLT  (digital  linear 
tape)  and  LTO  (linear  tape  open),  and  on  drives 
with  high  levels  of  automation,  storage  well- 


suited  to  backup  and  archiving  as  venerable  as 
9-track  was  in  its  time. 

Wilkins  says  9-track  is  naturally  a  less  stable 
medium  than  more  modern  tape  media, 
making  it  vital  for  IT  managers  to  preserve  the 
information  contained  on  older  tapes. 

That  means  some  companies  that  own 
millions  of  9-track  reels  will  need  to  spend  time 
and  money  to  maintain  and,  most  likely, 
migrate  those  tapes  to  newer  media,  says  Stan 
Zaffos,  a  Gartner  analyst. 

The  lesson,  says  Zaffos,  is  that  CIOs  must 
always  look  ahead  to  the  next  generation  of 
storage  technology  while  managing  to  ensure 
the  survival  of  their  data.  He  adds,  "Archiving 
isn’t  so  much  about  technology  as  it  is  about 
procedures  and  practices."  - Alan  R.  Earls 


I 


3  0  CIO  APRIL  1,  2004 


www.cio.com 


For  a  company  to  be  competitive, 

IT  departments  know  that  business 

professionals  need  access  to  up-to-the- 

Nokia.  For  business. 

minute  information,  anywhere,  anytime. 

The  Nokia  range  of  mobile  business  devices 

and  email  solutions  put  effective  business 

i 

tools  at  the  fingertips  of  today’s  information 

driven  mobile  user.  Nokia  combines  voice, 

2  c 

2  § 
^  o 

S  g 


=> 

5  i 


2 

T3 
O  rD 


_  E 
o  c 


?  O 
£? 


6  Cl 

2  E 

2  O 


messaging  and  PDA  features  in  one  easy  to 
carry  device.  Do  your  users  need  full  email 
access  with  attachment  reading?  When 
empowered  with  Nokia  email  solutions, 
your  workforce  can  have  secure  access 
to  corporate  email  accounts  and  critical 
information  on  the  go. 

Even  on  the  move,  your  workforce  can  stay 
connected,  in  control,  and  open  for  business. 


anytime,  anywhere  access  to  email 


Learn  more  about  mobilizing  your  business. 

www.nokia.com/mobilebusiness/americas 


Nokia  6820 


Nokia  6800 


Nokia  6200 


NOKIA 

Connecting  People 


ndlines 


On  the  Move 


By  Meridith  Levinson 


Mergers  Put  Four  Key 
Career  Questions  to  CIOs 


J.P.  MORGAN  CHASE  AND  BANK  ONE. 

FedEx  and  Kinko’s.  Maybe  Comcast  and 
Disney.  Mergers  are  in  fashion  again,  in 
what  some  observers  suggest  is  a  sign  of  a 
strengthening  economy — or  at  least  investor 
confidence.  For  CIOs  caught  up  in  mergers, 
it’s  a  time  to  answer  crucial  career  questions. 
Will  they  lead  the  combined  IT  group?  Be 
part  of  postmerger  plans?  Or  be  kicked  to 
the  curb?  Answering  those  questions  doesn’t 
have  to  be  a  tea-leaves  reading. 

Stephen  Mader,  CEO  of  executive  re¬ 
cruiter  Christian  &  Timbers,  which  has 
helped  CIOs  transition  to  new  jobs  following 
M&As,  identifies  four  factors  that  execu¬ 
tives — including  CIOs — can  use  to  help  them 
determine  whether  to  jump  ship  ASAP  or 
stick  things  out. 

Where  does  your  company  stand?  If  your 
company  will  operate  as  a  separate  entity 
after  the  merger  is  complete,  you  have  a 
better  chance  of  keeping  your  job.  If  the 
merger  is  a  consolidation  strategy  where 
businesses  will  be  blended  to  obtain  effi¬ 
ciencies,  your  odds  for  staying  on  don’t  look 
as  good.  One  example  from  the  CEO  ranks: 
Michael  Capellas,  Compaq’s  one-time  CIO 
who  became  its  CEO,  stayed  for  about  a 
year  after  announcing  a  merger  with 
Hewlett-Packard.  He  now  heads  MCI. 


Where’s  your  boss?  Mader  says  the  boss’s 
fate  is  an  indicator  of  what  will  happen  to 
the  CIO.  “If  two  companies  are  merging  in 
a  total  absorption  and  consolidation  strategy 
where  you  only  need  one  CIO 
when  it’s  over,  rest  assured  that 
95  chances  out  of  100  that  the 
prevailing  CEO  in  that  merger 
will  have  his  own  prevailing 
CIO  remain  in  charge,”  Mader 
says.  (If  the  CEO  is  unhappy 
with  the  CIO,  it’s  a  different 
story,  he  adds.)  Similarly,  if  a 
CIO’s  CEO  gets  a  subservient 
role  after  a  merger,  that  CIO 
may  want  to  start  looking  for  a 
job.  That  former  boss  probably 
isn’t  going  to  remain  for  very  long. 

How  much  integration  work  is  there?  If  the 

acquiring  company  doesn’t  intend  to  con¬ 
solidate  post-merger  operations,  there  may 
not  be  a  lot  of  integration  work.  If  the 
merger  is  going  to  require  massive  integra¬ 
tion,  that  should  help  to  sway  a  CIO’s 
career  decision  one  way  or  the  other 
depending  on  his  work  preferences. 

Where’s  the  opportunity?  If  a  CIO  sees  a  lot 
of  work  ahead  to  make  the  merger  a  success 
and  thinks  he  has  the  skills  and  resources  to 


do  it,  the  merger  could  be  an  opportunity  to 
showcase  his  leadership  and  management 
abilities.  Says  Mader,  “He’ll  be  in  a  high- 
visibility  spot  that  will  be  easy  to  recognize 
and  reward  once  they’re  complete.” 

One  CIO’s  Merger  Story 

When  John  Mariano,  the  former  CIO  of 
Academic  Management  Services,  learned  last 
year  that  Sallie  Mae  would  be 
acquiring  his  company,  he 
didn’t  know  how  the  deal 
would  work.  He  says  he  fig¬ 
ured  that  Sallie  Mae  “would 
want  to  find  some  place  for 
me.”  He  felt  similarly  about 
his  IT  team. 

Mariano,  36,  found  reason 
to  worry  when  he  learned 
that  Sallie  Mae  was  planning 
on  centralizing  IT  in  one  loca¬ 
tion.  To  keep  a  job,  he’d  have 
to  relocate  to  its  Virginia  headquarters. 
Meanwhile,  Mariano’s  mother  was  suffer¬ 
ing  with  a  terminal  illness.  He  was  caught 
between  wanting  to  care  for  her  and  for  his 
IT  department  (some  of  whom  stayed  to 
work  for  Sallie  Mae). 

Mariano  says  he  asked  Sallie  Mae  execu¬ 
tives  if  they  saw  a  long-term  plan  for  him. 
“At  one  point  they  said  there  was  some¬ 
thing,  then  they  said  they  weren’t  sure,”  he 
says  of  Sallie  Mae.  “I  think  they  were  look¬ 
ing  and  trying  [to  find  something  for  me], 
but  I  was  not  willing  to  relocate.  I  wanted  to 
stay  in  New  England.”  He  decided  to  leave 
AMS  on  Dec.  31,  2003,  before  the  merger 
was  complete.  (Sallie  Mae  declined  to  com¬ 
ment  on  Mariano’s  departure.) 

In  February,  Mariano  was  freelance  con¬ 
sulting,  daunted  by  the  task  of  looking  for 
a  stable  job.  “I  don’t  even  know  where  to 
begin,”  he  says  of  the  process.  “My  strength 
is  yielding  value  through  technology. 
Whether  it’s  as  a  technical  architect  or  a 
CIO  doesn’t  matter  as  long  as  I’m  in  that 
function.  Title  doesn’t  matter.  That’s  what  I 
love  to  do.” 


^1  I  4T 


Terry  Prether,  former  VP  for  IT  and  corporate  services  at  Attachmate,  was  named  CIO 
of  Shurgard  Storage  Centers,  a  self-storage  real-estate  investment  trust.  Andrew  G. 

Platt  was  promoted  from  director  of  business  technology  to  VP  for  information  services  and  CIO  at 
J.M.  Smucker.  He  reports  to  the  food  company's  controller.  Keith  Satterfield,  former  director  of 
management  information  services  at  Eastman  Kodak  subsidiary  Kodak  Versamark,  was  named 
CIO.  He  reports  to  Nachum  Shamir,  Kodak  Versamark  president  and  a  VP  of  the  parent  com¬ 
pany.  Joseph  Joy  was  appointed  VP  and  CIO  of  Health  Management  Systems,  a  provider  of  cost 
containment  services  for  public  health-care  programs. 


3  2  CIO  APRIL  1,  2004 


www.cio.com 


1,  CIO/APRIL  CSO  ■  VOLUME  6,  NUMBER  1 


Protect 

Your 
Business 

From  the 

Outside 

In 


The  New 
Agenda 
For  Network 
Security 

CSO 


Custom  Publishing 
Advertising  Supplement 


Preventing  Hack  Attacks  ■  Disaster  Recovery  &  Business  Continuit 
Managing  Network  Security:  The  Tactical  Battle 


Mm 

[jj|||i|»j  y; 

l!  ii  r  s * 

SECURITY' 


For  the  client  who  designs  or  supplies  half  of  the  world’s  nuclear  power  plants, 
protecting  its  critical  network  resources  is  a  high  priority.  But  so  is  access. 
Thousands  of  users  rely  on  sensitive  data  and  applications  to  get  their  jobs  done. 
The  answer:  Secure  Identity  and  Access  Management  with  RSA  SecurlD®  authentication  and 
RSA  ClearTrust®  web  access  management.  Proven  solutions  that 
are  helping  this  leading  energy  provider  keep  its  secrets  safe,  its 
users  productive,  and  its  administrative  costs  low.  Solutions  that  could  make  safely  sharing  your 
Q2  sales  goals  a  lot  easier  than  hitting  them.  To  learn  more,  download  our  Identity  &  Access 
Management  and  Federated  Identity  Management  white  papers  at  www.rsasecurity.com/go/iam2. 


ClearTrust" 


©20CK  RSA  Security  Inc  All  rights  reserved  RSA,  RSA  Secured,  the  RSA  Security  logo,  SecurlD  and  ClearTrust  are  registered  trademarks  or  trademarks 
of  RSA  Security  Inc.,  in  the  United  States  and/or  other  countries  All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies 


agenda 


ADVERTISING  SUPPLEMENT 


FROM  THE  OUTSIDE  IN: 

About  The  New  Agenda 
for  Network  Security 


BY  TOM  FIELD 


Four  years  ago,  I  spoke  with  two  different  CIOs  about  network  secu¬ 
rity,  and  they  gave  me  two  entirely  different  perspectives. 

The  first  CIO,  who  oversaw  IT  at  a  major  U.S.  aerospace  firm,  talked 
about  attending  an  infosecurity  lecture  at  a  regional  CIO  conference.  When 
polled  about  network  security  issues,  59  percent  of  the  CIOs  said  their 
companies’  networks  had  never  been  hacked.  “Ignorance  is  bliss,  I  guess,” 
the  CIO  said.  “These  people  have  been  hacked;  they  just  don’t  know  it.” 

The  second  CIO,  a  divisional  IT  leader  at  a  major  US  manufacturing 
company,  told  me  that  network  security  funding  was  a  serious  challenge 
for  him.  He  couldn’t  convince  his  boss  that  it  was  a  battle  worth  funding. 
His  solution?  Whenever  a  harmless-but-annoying  e-mail  virus  struck  his 
company,  he  made  sure  it  got  through  to  his  CEO’s  and  CFO’s  desktops. 
“Nothing  damaging,  of  course,”  the  CIO  said.  “Just  something  to  let 
them  know  that  even  though  the  threat  is  invisible,  it’s  very  real.” 

Needless  to  say,  that  second  CIO  is  no  longer  a  CIO  at  that  particular 
company.  And  business/IT  leaders  everywhere  have  wised  up  to  the  point 

where  they  know  the  infosecurity  threat  is  real. 

And  yet  despite  the  grim  realities  we  live  with 
today  -  through  September  last  year,  1 15,000  secu¬ 
rity  “incidents”  were  reported  to  Carnegie  Mellon 
University’s  CERT  (Computer  Emergency 
Response  Team)  -  infosecurity  leaders  are  starting 
2004  with  a  new  agenda. 

In  short,  the  scare  tactics  are  out,  new  possibili¬ 
ties  are  in.  Rather  than  dwell  upon  network  security  threats  and  the 
havoc  they  can  wreak  on  global  enterprises,  security  leaders  today  are 
talking  about  the  new  business  opportunities  that  can  be  explored  once 
you’ve  secured  your  network  perimeter. 

Which  brings  us  to  this,  the  first  2004  edition  of  Strategic  Directions. 

As  you  read  the  anecdotes  and  advice  in  this  issue,  consider  how  you 
can  apply  them  in  your  own  organization.  And,  please,  don’t  hesitate  to 
share  with  us  some  of  the  tactics  that  have  worked  best  for  you. 

Meanwhile,  as  you’re  considering  your  responses,  let’s  all  take  to  heart 
this  new  agenda  security  leaders  are  pursuing.  It’s  a  scarier  world  by  far 
than  the  one  we  saw  four  years  ago.  And  yet  the  security  professionals 
are  telling  us  it’s  no  longer  about  the  threat,  it’s  about  the  possibilities. 

I  like  that. 


TOM  FIELD  IS  DIRECTOR  OF  CONTENT 
CUSTOM  PUBLISHING  GROUP.  PLE/ 
STRATEGIC  DIRECTIONS  JO  TOM  A1 


FOR  CXO  MEDIA'S 
HOUGHTS  ON 
COM. 


APRIL  1,  CIO/APRIL  CSO  •  VOLUME  6,  NUMBER  1 


Information  Security: 

new  corporate  challenge 

4  The  Explosion  of  Hacking 

(And  What  You  Can  Do  about  It) 

12  Invitation  Only:  Identity 
Management  Strategies 

Managing  Network 
Security: 

the  tactical  battle 

1 4  Are  Networks  out  of  Control? 

18  Come  Together:  Integrating 
Enterprise  Security 
Management 

1 9  Should  You  Outsource  Network 
Security? 

Network  Security: 

disaster  recovery  & 
business  continuity 

2  2  Building  the  Survivable 
Network 


ComingSoon 

Data  Integration 
CIO  6/1/04,  CSO  6/04 

Business  Intelligence 
CIO  9/1/04,  CSO  9/04 

Storage  ROI 

CIO  11/1/04,  CSO  11/04 


STRATEGIC  DIRECTIONS  3 


new  corporate  challenge 


ADVERTISING  SUPPLEMENT 


The  explosion 

of  Hacking 

(AND  WHAT  YOU  CAN  DO  ABOUT  IT) 


HANKS  TO  RECENT  WORM  ATTACKS 
and  the  grim  promise  of  plenty  more  in  the 
future,  it’s  clear  that  we  won’t  be  going  back  to 
business-as-usual  anytime  soon. 

Here’s  the  truth:  when  it  comes  to  corporate 
information  security,  it’s  clear  that  we  don’t  live  in  Kansas 
anymore.  Instead,  the  recent  onslaught  of  viruses  and  worms 
like  last  year’s  Blaster  and  SoBig  attacks  have  made  clear  that 
the  corporate  fortress  is  being  assailed  from  all  sides,  all  the 
time — and  the  attacks  will  only  get  worse.  In  1988,  Carnegie 
Mellon  University’s  CERT  (Computer  Emergency  Response 
Team)  Coordination  Center  reported  six  security  incidents.  In 


1995,  that  number  climbed  to  above  2,400.  In  just  the  first 
three  quarters  of  2003,  nearly  1 15,000  incidents  were 
reported. 

Certainly,  part  of  the  problem  is  that  there’s  no  perimeter 
anymore.  Who’s  us?  Who’s  them?  Who  knows?  So  many 
attacks  come  from  inside  rather  than  outside— as  many  as  75 
percent,  by  some  accounts — that  building  ever-stronger 
perimeter  defenses  doesn’t  help.  There  are  a  variety  of  other 
reasons  that  hacking  has  become  such  a  major  threat: 

It's  easy  for  the  bad  guys.  Internet-based  attacks  on  net¬ 
works  are  easy  to  launch  and  hard  to  trace,  making  them  a 
low-risk  venture. 


SAFE  PASSAGE  FOR  E-BUSINESS 


Nothing  clobbers  an  e-business  initiative  more  than  customer  fears  about  the  safety  and  security 
of  their  data.  Fortunately,  solutions  are  emerging  that  can  help  businesses  to  boost  productivity  and 
customer  satisfaction— without  compromising  data  security. 

Securing  e-mail.  Customers  at  Charles  Schwab  &  Co  wanted  to  access  information  like  40l(k)  state¬ 
ments  in  order  to  download  the  information  into  desktop  financial  management  tools  like  Quicken— 
but  without  the  hassles  of  special  document  viewers,  multiple  passwords,  or  logging  on  to  the 
Schwab  website.  The  answer:  Schwab  opted  for  a  solution  from  PostX  Corp.  that  delivers  secure  e-mail 
to  any  desktop  or  web-based  e-mail  client,  so  Schwab  can  reach  all  of  its  customers. 

Portal  to  stronger  sales.  After  deploying  NEC's  Enterprise  Information  Portal  Star0ffice2l  to  sup¬ 
plant  paper-based  and  word-of-mouth  information  sharing,  Japan's  Parco  Space  Systems  is  using  its 
new  web-based  portal,  dubbed  PS-NET,  to  strengthen  sales  capabilities  and  information  sharing 
among  its  500  employees  and  27  locations.  Because  PS-NET  replaces  several  non-secure,  independ¬ 
ently  developed  e-mail  systems,  it  not  only  reduces  overall  operating  costs  by  enabling  rapid  trans¬ 
mission  of  information  between  top  management  and  employees,  it  also  has  significantly  boosted 
Parco's  network  security. 


4  STRATEGIC  DIRECTIONS 


PUTTING  A  PRICE  ON  NETWORK  SECURITY 


Nobody  can  quantify  safety— and  yet,  CIOs  must  try.  Faced  with  the  reality  of  tight  IT  budgets  and 
increased  spending  scrutiny,  IT  executives  must  find  a  way  to  cost-justify  security  spending. 

"To  build  coherent  security  architectures  and  programs  to  support  them,  CIOs  and  security  chiefs 
need  to  assess  their  firms'  security  risks  and  develop  mitigation  strategies,"  notes  Laura  Koetzle, 
senior  analyst,  computing  and  security,  at  Forrester  Research.  "Once  they've  done  those  things,  CIOs 
and  security  chiefs  can  ask  for  budget  in  terms  that  the  CEOs  and  CFOs  will  understand." 

"In  order  to  justify  the  need  for  increased  security,  CIOs  must  be  able  to  outline  how  time-consum¬ 
ing  and  costly  it  is  to  recover  from  a  security  breach,"  says  Sterling  Beane,  director  of  technology  for 
West  Virginia's  Braxton  County  Public  School  System.  "The  aftermath  of  a  security  breach  or  virus 
attack  is  far  more  costly  than  implementing  proper  security  measures.  In  this  case  the  old  adage  is 
true:  an  ounce  of  prevention  is  worth  a  pound  of  cure." 

Joe  Granneman,  PC  and  network  director  for  Rockford  Health  Systems  and  a  user  of  Top  Layer 
Networks'  Attack  Mitigator  intrusion  prevention  solution,  has  the  following  suggestions  for  how  CIOs 
can  make  their  security  case: 

•  State  the  actual  risk  without  over-dramatizing  the  potential  damages  of  not  acting.  "Do  not 

overstate  the  FUD  factor  because  it  can  damage  your  credibility  for  future  projects,"  says  Granneman. 
"How  many  times  will  they  believe  that  the  sky  is  falling?" 

•  Explain  the  technical  concepts  of  potential  security  problems  in  clear  English.  "Demonstrate  the 
tangible  effects  of  not  acting  on  a  potential  threat-financial  impacts  are  the  most  compelling.  Do  not 
belabor  the  technical  details,"  says  Granneman. 

•  Talk  about  the  things  that  aren't  being  funded.  "Talk  about  potential  security  risks  that  are  too 
low  or  too  expensive  and  don't  require  mitigation— this  can  add  to  your  credibility  among  the  mem¬ 
bers  of  the  management  staff  when  real  threats  that  require  fiscal  intervention  occur,"  says 
Granneman.  It  also  demonstrates  a  realistic  attitude  towards  security  spending. 

•  Present  third-party  research  that  supports  your  arguments.  "The  research  should  be  from  sources 
that  will  not  benefit  from  your  security  spending,"  says  Granneman. 

"I  like  to  recommend  that  CIOs  look  at  return-on-negligence  (RON),"  says  Toby  Weiss,  senior  vice 
president,  eTrust  Security  Management,  at  Computer  Associates.  "What's  the  cost  of  not  doing  any¬ 
thing?  What  is  the  cost  of  the  status  quo?  Can  we  do  things  better,  with  tighter  security  and  with 
lower  operational  costs?" 


These  days: 

•  Source  code  isn’t  needed  to  find  vulnerabilities 

•  Intrusion  tools  are  becoming  more  sophisticated — 
they’re  designed  to  support  large-scale  attacks — while 
being  easy  to  use,  even  for  novices 

•  Attackers  are  leveraging  broadband  connections  to 
launch  large-scale  attacks 

“Many  CIOs  and  security  chiefs  don’t  place  enough  emphasis 
on  security  hygiene  basics,”  says  Laura  Koetzle,  senior  analyst, 
computing  and  security,  at  Forrester  Research.  For  example, 
she  says  that  many  neglect  to  enable  default-deny  on  routers 
where  appropriate,  standardize  on  a  few  security-validated  con¬ 
figurations  of  each  operating  system,  or  implement  standard 


processes  for  receiving,  testing,  and  deploying  security  patches. 

Intense  technical  complexity.  It’s  understandable. 
Applications,  protocols,  and  the  Internet  itself  are  becom¬ 
ing  increasingly  complicated  and  interconnected — and  we 
rely  on  them  more  than  ever.  Meanwhile,  in  too  many 
enterprises,  IT  infrastructures  have  evolved  into  Rube 
Goldberg  affairs — although  they  mostly  get  the  job  done, 
they’ve  become  too  unwieldy  to  continue  to  function  effi¬ 
ciently  and  securely.  In  fact,  many  are  in  danger  of  suc¬ 
cumbing  to  their  own  complexity. 

Staffing  issues.  Many  times,  network  and  system  admin¬ 
istrators  are  not  sufficiently  trained,  or  given  the  proper 
resources  to  implement  proper  security  procedures. 


STRATEGIC  DIRECTIONS  5 


ADVERTISING  SUPPLEMENT 


Blue  Cross  and  Blue  Shield  of  Nebraska 
Powers  its  Business  with  NEC  Servers 


STUDY 


WHY  DID  BLUE  CROSS  AND  BLUE  SHIELD 
of  Nebraska  decide  to  integrate  NEC's 
Express5800/1000  series  of  Intel®  Itanium® 
2  processor-based  servers  into  its  existing  data  ware¬ 
housing  and  business  intelligence  environment? 

An  independent  licensee  of  the  Blue  Cross  and  Blue 
Shield  Association,  Blue  Cross  and  Blue  Shield  of 
Nebraska  provides  health  care  coverage  or  benefit 
administration  to  more  than  640,000  Nebraskans. 

According  to  Steve  Grandfield,  Blue  Cross  and  Blue 
Shield  of  Nebraska's  vice  president  of  Information 
Services,  with  more  than  half  a  million  members  sup¬ 
ported  by  a  complex  computing  environment,  the 
organization  "required  a  solution  that  would  not  only 
provide  us  with  the  ability  to  support  large  numbers 
of  users,  but  offered  ease  of  system  management  and 
overall  system  stability  as  well." 


STREAMLINE  OVERALL  HARDWARE 


The  NEC  Itanium  systems,  which  will  be  used  initially 
for  enterprise  data  warehousing  and  business  intelli¬ 
gence  capabilities,  will  also  allow  Blue  Cross  and  Blue 
Shield  to  eventually  streamline  the  amount  of  overall 
hardware  they  have  in  stock. 

"This  is  a  real  validation  of  NEC's  innovation  and 
technology  to  provide  solutions  that  offer  break¬ 
through  levels  of  performance,  reliability  and  scalabil¬ 
ity,"  says  Larry  Sheffield,  senior  vice  president  of  the 
Solutions  Platform  Group  for  NEC  Solutions  America. 


"We  look  forward  to  working  with  Blue  Cross  and  Blue 
Shield  to  integrate  our  Itanium  servers  into  their 
existing  IT  infrastructure  and  scale  their  data  ware¬ 
house  to  support  their  ongoing  growth." 

HIGH  PERFORMANCE  AND  SCALABILITY 

"It  was  also  important  for  us  to  work  with  a  proven 
leader  such  as  NEC,  whose  superior  technology  as  well 
as  its  supercomputer  and  mainframe  expertise  will 
pay  dividends  through  high  levels  of  service  in  a  com¬ 
plex  computing  environment  such  as  ours,"  adds 
Grandfield. 

THE  NEC  EXPRESS 5800/1000  SERVER  SERIES 

NEC's  Itanium  2  processor-based  servers  are  designed 
to  meet  the  needs  of  the  most  demanding  enterprise 
and  technical  computing  applications.  In  order  to 
maximize  the  performance  of  the  Itanium  2  Processor, 
NEC  has  developed  a  high-performance  chipset  and 
crossbar  switch  cultivated  through  the  development 
of  NEC's  supercomputer  and  mainframe  technology. 
With  these  innovations,  the  1000  series  not  only 
demonstrates  high  performance,  but  also  realizes 
high  scalability  and  high  reliability. 

To  learn  more  about  NEC's  Itanium  2  servers  visit 
www.necsam.com/ia64-2  or  call  1.866.632.3226. 


Empowered  by  Innovation 


The  Spam  Crisis 

THE  CURRENT  WISDOM  IS  THAT  ABOUT  50  PERCENT 

of  all  e-mail  is  spam — and  around  30  percent  of  today’s 
e-mail  traffic  is  infected  with  at  least  one  worm  or  virus. 
That’s  a  lot  of  e-mail,  considering  that  by  2006,  e-mail  traffic 
will  exceed  60  billion  messages  a  day. 

How  can  companies  fight  the  problem?  Here  are  a  few  ideas: 
Beyond  text  filtering.  When  media  company  Network 
World,  Inc.  realized  that  spam  accounted  for  almost  90  per¬ 
cent  of  the  30,000  e-mails  it  received  every  day — and  then 
figured  out  that  each  piece  of  spam  cost  at  least  5  cents, 


adding  up  to  $250,000  per  year — it  became  clear  that  they 
needed  to  go  on  the  counterattack.  Using  only  a  text  filter  on 
e-mail,  IT  staffers  spent  as  much  as  six  hours  a  day  trying  to 
keep  up  with  spammers’  ever-changing  strategies.  But  after 
installing  SurfControl’s  E-mail  Filter,  Network  World 
reduced  IT  time  spent  on  e-mail  filtering  to  less  than  an  hour 
per  day  while  also  cutting  the  false-positive  rate  (when  a 
legitimate  e-mail  is  mistakenly  treated  as  spam)  to  just  a 
quarter  of  1  percent. 

Getting  bandwidth  back.  Since  implementing 
SurfControl’s  Web  Filter,  the  U.K.’s  Royal  Cornwall  Hospitals 


6  STRATEGIC  DIRECTIONS 


WHEN  IT  COMES  TO  ITANIUM  SERVERS, 
EVERYONE  ELSE  FOLLOWS. 


Introducing  the  fastest,  most  innovative  Itanium  2  servers  from  NEC  Solutions  America. 


When  it  comes  to  Itanium  2  servers,  no  one  has  more  experience  than  NEC.  NEC's  Express5800/1 000 
servers  use  Intel5  CPU  technology  combined  with  NEC's  own  platform  to  create  the  fastest  32-way 
Itanium  2  server  available.  With  the  advanced  processing  power  of  the  Itanium  2  chip,  the 
Express5800/1 000  performs  up  to  30%  faster  than  most  RISC  servers,  yet  it's  about  one-third  of  the 
cost.  With  90%  of  the  leading  database  applications  available  for  Itanium  2,  the  Express5800/1000 
will  also  dramatically  increase  the  performance  of  your  data  center.  NEC's  Express5800/1000  delivers 
competitive  server  pricing,  high-speed  processing,  and  high  scalability  across  your  network. 


Windows  Server  2003 


To  learn  more  about  NEC’s  Itanium  2  servers  and  download  the  free 
white  paper  go  to:  http://www.necsam.com/ia64-4  or  call  1.866.632.3226 


NEC  is  a  registered  trademark  of  NEC  Corporation  and  one/or  more  of  its  subsidiaries.  Microsoft  and  Windows 
are  registered  trademarks  of  Microsoft  Corporation.  Intel  and  Itanium  are  trademarks  or  registered  trademarks 
of  Intel  Corporation  in  the  U.S.  and/or  other  countries.  All  other  trademarks  and  registered  trademarks  are  the 
property  of  their  respective  owners.  4  '2004  NEC  Solutions  (America).  Inc.  All  Rights  Reserved. 


Empowered  by  Innovation 


NE4 


ADVERTISING  SUPPLEMENT 


Trust  has  reclaimed  at  least  40  percent  of  its  available  band¬ 
width,  which  had  been  lost  to  non-work-related  surfing  and 
downloads.  Meanwhile,  complaints  from  medical  staff  about 
encountering  pornography  while  online  have  dropped  by 
more  than  90  percent. 

Invisible  encryption.  To  ensure  its  compliance  with  the 
Health  Insurance  Portability  and  Accountability  Act 
(HIPAA),  California-based  Catholic  Healthcare  West  turned 
to  Tumbleweed  Communications’  Secure  Public  Network, 
which  it  deployed  at  the  server  level  so  end  users  would  be 
shielded  from  message  encryption  requirements.  Also  elimi¬ 
nated:  the  costly  and  complex  administration  of  certificate 
management  between  entities. 

Quarantine.  Tumbleweed’s  solutions  protect  Catholic 
Healthcare  West’s  internal  infrastructure  from  incoming  e- 
mail  laden  with  viruses,  spam,  or  denial-of-service  (DoS) 
attacks.  To  dodge  destructive  virus  attacks  without  the  has¬ 
sles  of  a  virus  patch,  Catholic  Healthcare  West  quarantines 
.vbs  messages  using  Tumbleweed  Secure  Policy  Gateway  so 
messages  never  reach  employee  desktops  and  network  per¬ 
formance  is  not  affected. 

Crashing  the  Internet 

AS  OF  THIS  WRITING,  THE  INTERNET  HAS  NOT  YET 

been  brought  down  by  a  denial-of-service  attack,  but  some 
experts  believe  it’s  only  a  matter  of  time.  Certainly  these 
attacks,  which  choke  off  legitimate  network  traffic  by  bom¬ 
barding  certain  servers  with  illicit  traffic,  have  and  will  con¬ 
tinue  to  force  targeted  businesses  to  a  standstill.  The  costs,  of 


WHAT'S  TODAY'S  RISK  FACTOR? 

Internet  Security  Systems'  Internet  Risk  Impact  Summary 
for  the  second  quarter  of  2003  shows  that  the  number  of 
serious  security  incidents  increased  nearly  14  percent  over 
the  first  quarter  of  2003.  Meanwhile,  the  number  of  new 
vulnerabilities  grew  by  20  percent,  with  more  than  700 
new  weaknesses  identified. 

•  Industries  most  attacked  in  2Q  2003: 

•  Services— 24  percent 

•  Financial  and  insurance  services— 19  percent 

•  Retail— 16  percent 

•  Manufacturing— 11  percent 

•  Government  (federal,  state,  local)— 8  percent 

•  Food  and  drug— 5  percent 

•  Information  technology— 4  percent 

•  Healthcare— 3  percent 


course,  can  be  enormous:  lost  sales,  employee  productivity 
trashed,  negative  publicity. 

Consider  the  distributed  DoS  attacks  launched  over  the 
2004  Super  Bowl  weekend:  aimed  mostly  at  online  gambling 
sites,  they  started  on  Friday  and  continued  through  the  week¬ 
end,  peaking  at  200  megabits  per  second.  Many  were  “cyber 
shakedowns”  launched  by  extortionists  who  threatened  to 
keep  attacking  until  protection  payments  were  made.  Some 
sites,  however,  deflected  the  attacks  using  Riverhead 
Networks’  XT  Series  of  appliances,  which  filter  out  malicious 
traffic  using  active  mitigation  capabilities  that  rapidly  detect 
attacks  and  separate  malicious  packets  from  legitimate  traffic. 


WHEN  IT  COMES  TO  NETWORK  SECURITY,  NEVER  ASSUME  ... 


...  That  the  internal  network  is  safe.  "Internal  networks  can't  offer  the  same  level  of  protection  as 
external  networks,"  says  Joe  Granneman,  PC  and  network  director  for  Rockford  Health  Systems.  "Guard 
your  LAN  ports  with  physical  security  or  port-based  authentication." 

...  That  your  greatest  security  risk  is  from  a  hacker.  "Studies  have  shown  that  potential  damage  from 
employees  and  consultants  far  exceeds  the  risk  from  external  hackers,"  says  Granneman. 

...  That  your  management  team  understands  the  actual  risks  posed  by  data  security  issues  and  the 
potential  financial  loss. 

...  That  your  software  vendors  are  versed  in  data  security  issues.  "They  will  request  access  levels  from 
you  to  make  their  work  convenient,  not  secure  your  enterprise,"  notes  Granneman. 

...  That  any  one  security  device  is  sufficiently  capable  to  deal  with  threats.  According  to  Granneman, 
"The  best  security  is  multi-vendor  and  multi-layered  with  overlapping  roles." 

...  That  your  staff  is  designing  security  into  new  projects. 

Adds  Christian  Byrnes,  vice  president  and  service  director  at  META  Group,  "A  little  bit  of  paranoia 
goes  a  long  way  toward  solving  security  problems." 


8  STRATEGIC  DIRECTIONS 


ADVERTISING  SUPPLEMENT 


Automotive  Exchange  Securely  Manages 
Access  for  Thousands  of  Member  Companies 


STUDY 


COVISINT  IS  A  GLOBAL  SOLUTIONS 
provider  founded  by  the  world's  largest 
automobile  manufacturers,  including 
DaimlerChrysler,  Ford  and  General  Motors,  to  improve 
the  effectiveness  of  mission-critical  processes  such  as 
collaborative  product  development,  procurement,  and 
supply  chain  management.  Through  the  Covisint 
exchange,  manufacturers  and  suppliers  conduct  busi¬ 
ness  efficiently  and  securely,  enhancing  members' 
cost  structure,  time  to  market,  and  the  quality  of 
goods  and  services. 

Not  surprisingly,  says  Dave  Miller,  chief  information 
security  officer  for  Covisint,  "an  exchange  environ¬ 
ment  poses  rigorous  security  challenges.  You  want  to 
make  the  system  so  convenient  that  members  can't 
imagine  doing  business  any  other  way.  Yet  you  need 
to  provide  a  level  of  security  that  will  satisfy  your 
users  and  auditors  alike." 


COST  EFFECTIVE,  DRAMATIC  SCALABILITY, 

EASILY  ADAPTED 

"When  Covisint  started,  we  only  had  200  companies 
and  5,000  identities.  We  needed  a  secure  web  access 
management  solution  that  worked  from  a  cost  stand¬ 
point  yet  would  allow  us  to  scale  dramatically.  RSA 
ClearTrust®  software  has  enabled  us  to  do  that.  Today 
we  securely  manage  access  for  over  135,000  users 
from  25,000  companies  spread  across  96  countries, 
and  those  numbers  are  growing  daily,"  says  Miller. 


RSA  ClearTrust  software  from  RSA  Security  Inc  provides 
Covisint  with  a  single  electronic  identity  and  point  of  con¬ 
nectivity  for  each  user,  single  sign-on  (SSO)  across  mem¬ 
ber  sites,  and  easy  administration  of  user  access  privi¬ 
leges.  On  the  security  side,  the  web  access  management 
software  erects  high  barriers  to  intruders,  ensuring  that 
sensitive  information  is  not  revealed  to  competitors,  and 
federating  user  identity  information  so  it  can  be  securely 
passed  from  one  member  company  to  another. 

"In  the  old  days,  an  engineer  who  worked  for  a  sup¬ 
plier  might  have  IDs  for  10  different  Ford  systems," 
says  Miller.  "When  that  engineer  moved  to  another 
supplier,  you  were  lucky  if  five  of  those  IDs  were 
removed.  That  individual  could  still  access  sensitive 
information.  Now,  when  that  engineer  leaves,  the 
employer  can  turn  off  his  access  to  50,  60  or  70  sys¬ 
tems  with  one  operation." 

Miller  also  noted  that  RSA  ClearTrust  software  is 
easily  adapted.  "The  auto  industry  has  well-estab¬ 
lished  ways  of  handling  identity  management,"  he 
says.  'For  example,  IDs  are  associated  with  special 
numbers  and  supplier  hierarchies.  RSA  ClearTrust 
software  provides  hooks  that  allow  me  to  write  cus¬ 
tom  items  that  'look  automotive.'  In  turn,  this 
makes  the  Covisint  environment  more  appealing  to 
companies  in  the  industry." 

For  more  information  on  how  RSA 
ClearTrust  software  can  secure  you, 
visit  www.rsasecurity.com 


SECURITY* 


Protecting  their  company  from  such  malicious  attacks  is  only 
one  of  the  strategic  investments  CIOs  need  to  make  in  security 
technology.  The  first  step  is  developing  an  overall  policy. 

“One  of  the  biggest  challenges  CIOs  face  while  implement¬ 
ing  and  managing  network  security  is  understanding  their 
overall  security  posture,”  says  Greg  Gotta,  Symantec  Corp.’s 
vice  president  of  gateway  and  network  security. 

Steve  Purdham,  CEO  of  web-  and  e-mail-filtering  solu¬ 
tions  provider  SurfControl,  sees  five  clear  steps  that  CIOs 
must  take  to  solidify  their  security  strategy: 


1 1dentify  what  information  and  resources  are  critical  to  your 
organization. 

2  Identify  the  risks — what  happens  if  the  information  is  lost 
or  the  resources  are  misused?  “These  are  not  small  tasks, 
but  clearly  defining  the  problem  is  critical  to  the  overall 
success  of  your  strategy,”  says  Purdham. 

3  Define  a  policy  that  protects  the  organization. 

4  Adopt  technology  that  will  allow  you  enforce  this  policy 
across  all  areas  of  your  network,  for  both  the  local  and 
remote  workforce.  “Many  corporate  security  risks  are  to 


STRATEGIC  DIRECTIONS  9 


ADVERTISING  SUPPLEMENT 


About  40  percent  of  enterprise  organizations  are 
continuing  to  underfund  security. 


the  company’s  information,”  Purdham  says,  “which  is  why 
a  complete  security  solution  must  go  beyond  the  firewall.” 
CIOs  should  add  technologies  such  as  web  and  e-mail  fil¬ 
tering — as  well  as  technology  to  manage  instant  messaging 
and  peer-to-peer  applications — to  other  physical  security 
solutions  such  as  encryption,  intrusion  detection  and 
authentication. 


5  Train  all  your  employees  on  how  to  prevent  risks  from 
entering  your  network. 

“There  are  three  major  drivers  for  security:  regulations, 
risk  mitigation,  and  cost  reduction,”  says  Toby  Weiss,  senior 
vice  president,  eTrust  Security  Management,  at  Computer 
Associates.  “Any  effective  security  strategy  must  address  all 
three.”  Sll 


How  to  Get  Control  of  Spam  Without 
Compromising  Performance 


STUDY 


LIKE  MOST  COMPANIES,  CompuCom  saw  its 
volume  of  spam  explode  exponentially-and 
its  staff  grow  anxious  for  relief.  But  when 
Chris  Odom  and  Travis  Parker,  members  of  CompuCom's 
network  services  team,  went  looking  to  upgrade  their 
content  filtering  solution,  they  had  more  on  their 
minds  than  blocking  spam. 

What  they  wanted  was  to  improve  users'  experiences  by 
reducing  the  volume  of  spam  without  compromising  per¬ 
formance.  What  they  needed  was  a  solution  that  would 
enable  them  to  get  control  of  spam,  reduce  false  posi¬ 
tives,  and  be  scalable  as  well  as  flexible.  But  to  deliver, 
the  solution  had  to  address  a  number  of  issues.  Even  get¬ 
ting  control  of  spam,  it  turns  out,  was  not  straightforward 
for  the  giant  IT  services  and  system  integrator. 


RULES  AND  FALSE  POSITIVES 

"Even  with  the  strong  anti-spam  agents  available  in 
products  today,  none  we  found  was  powerful  enough  to 
block  the  amount  of  spam  appearing  daily  at 
CompuCom's  gateway,'  explains  IT  manager,  Parker. 
"What  we  needed  was  the  ability  to  develop  customized 
rules  that,  when  used  in  conjunction  with  the  anti¬ 
spam  agent,  effectively  blocked  unwanted  content." 

Of  course,  solving  the  spam  problem  by  creating 
additional  rules  often  results  in  the  generation  of  false 
positives-and  most  people,  maintains  director  of  net¬ 
work  services,  Odom,  have  "zero  tolerance  for  false 
positives."  The  answer,  of  course,  is  to  "rewrite  the 


rule  to  prevent  the  block.  The  problem  is  how  to  quick¬ 
ly  identify  what  rule  was  violated  in  the  first  place." 


PERFORMANCE  AND  SCALABILITY  CONSIDERATIONS 

Performance  and  scalability  were  other  considerations. 
Because  CompuCom's  volume  of  mail  could  fluctuate 
dramatically,  Odom  and  Parker  needed  a  solution  that 
could  easily  scale  to  meet  demand.  And  they  were  com¬ 
mitted  to  maintaining  performance,  with  "delay  of  the 
day's  internet  email  unacceptable,"  adds  Odom. 

After  evaluating  five  alternatives,  including  serv¬ 
ice-based  arrangements,  CompuCom  selected 
SurfControl  Web  and  E-mail  Filters. 

Today,  CompuCom  has  a  content  filtering  solution 
that  effectively  blocks  79.9%  of  spam  on  a  volume  of 
85-90,000  messages  daily,  helps  to  reduce  false  posi¬ 
tives  via  a  message  administrator  function  that  makes 
it  easy  to  find  and  analyze  the  reasons  for  blocked 
messages,  is  flexible  enough  to  accommodate  cus¬ 
tomized  rules  and  rules  changes,  includes  a  central¬ 
ized  database  functionality  for  quick  scalability  —and 
meets  CompuCom's  performance  requirements. 

"We  were  impressed  with  SurfControl's  feature  set, 
flexibility  and  its  concise,  understandable  graphical 
user  interface,"  adds  Odom. 

For  more  information  visit 
www.surfcontrol.com 


SurfControl 


10  STRATEGIC  DIRECTIONS 


Stop  porn  and  other  harmful  content  with  SurfControl  Web  Filtef 

Take  back  control  of  your  network.  SurfControl  blocks  all  forms  of  unwanted  Web  content  such  as 
porn,  gambling  and  spyware  using  the  industry’s  most  comprehensive,  accurate  list  of  categorized 
URLs.  And  with  remote  administration  and  tailored  reporting,  you  really  get  the  upper  hand. 
No  wonder  IT  professionals  voted  SurfControl  the  best  Web  filter*. 

Download  SurfControl  Web  Filter  for  a  free  30-day  evaluation  now  at  www.surfcontrol.com 
or  call  us  at  1  800.368.3366.  Because  network  abuse  hurts. 

*  Winner  of  the  2003  Microsoft  Certified  Professional's  Best  Web  Filter  award  in  the  “Monitoring  Employee  Web  Usage"  category. 

©  2004  SurfControl  pic 


SurfControl 

The  World’s  *1  Web  ft  E-mail  Filtering  Company 


new  corporate  challenge 


ADVERTISING 


SUPPLEMENT 


HEN  IT  COMES  TO  IDENTIFYING 
users  and  authorizing  their  access  to 
corporate  networks  and  applications, 
the  limitations  of  using  passwords 
have  become  painfully  evident. 
Passwords  are  easy  to  guess,  easy  to  hack,  and  easy  to  steal 
using  techniques  that  range  from  keystroke  loggers  to  phish¬ 
ing.  Moreover,  they’re  a  management  nightmare. 

Still,  points  out  Art  Coviello,  president  and  CEO  at  RSA 
Security,  “There  are  smart,  simple  alternatives  to  static  pass¬ 
words  that  enable  organizations  to  avoid  potentially  expen¬ 
sive  and  damaging  security  breaches  that  can  occur  both 
inside  and  outside  the  firewall.” 

The  new  alternatives 

A  NUMBER  OF  ALTERNATIVE  APPROACHES  TO  IDENTITY 

and  access  management  enable  administrators  to  centrally 
manage  authentication,  authorization,  and  access  across 
increasingly  web-services-enabled  enterprise  IT  environments. 

•  Token-based  two-factor  authentication.  To  gain  access, 
users  must  produce  two  identifying  factors.  One  is  some¬ 
thing  like  a  personal  identification  number  (PIN)  that 
only  the  user  knows.  The  other  is  something  only  the  user 
has,  such  as  a  token  with  a  unique  and  frequently  chang¬ 
ing  access  code  generated  by  a  secure  source.  This  system 
provides  more  robust  proof  of  identity  than  passwords 
and  can  be  leveraged  across  multiple  applications. 

•  Biometric-based  two-factor  authentication.  Because  the 
second  identifying  factor  is  something  the  user  has  that’s 
difficult  for  someone  else  to  steal  and  misuse  (a  finger¬ 
print  or  a  retinal  scan,  for  instance),  this  kind  of  authenti¬ 


cation  is  regarded  as  stronger  than  token-based  two-factor 
authentication. 

•  Smart  cards.  By  consolidating  employee  badging  and 
security  onto  a  single  programmable  device,  smart  cards 
can  lower  infrastructure  costs  (even  though  card  readers 
must  be  widely  deployed)  and  make  access  easier  for 
authorized  users. 

•  Digital  certificates  and  encryption.  Tough  to  mimic  or 
intercept,  encrypted  digital  certificates  must  be  retrieved 
by  users  from  secure  servers  and  presented  before  access  is 
granted.  Proof  of  identity  is  considered  strong  because  a 
trusted  third  party  has  vouched  for  the  certificate  holder. 
And  since  the  certificate  is  encrypted,  it’s  unintelligible  to 
the  unauthorized  and  very  resistant  to  attack. 

•  Web  access  management.  By  enabling  administrators  to 
centrally  manage  user  access  privileges  across  various  net¬ 
works  and  domains — including  single  sign-on  across 
multiple  applications — organizations  can  get  rid  of  multi¬ 
ple  security  schemes  and  maintain  exhaustive  control  over 
access  to  resources. 

“Identity  and  access  management  technologies  help  an 
organization  establish  trust  in  its  online  environment,  ensure 
the  security  of  its  corporate  data,  and  add  tangible  business 
value  to  existing  applications,”  says  John  Worrall,  vice  presi¬ 
dent  of  worldwide  marketing  at  RSA  Security.  These  new 
solutions  can  reduce  costs,  improve  customer  service  and 
retention,  streamline  business  processes,  and  increase 
employee  productivity.  Says  Worrall:  “They  are  critical  com¬ 
ponents  of  any  security  infrastructure.” 

For  example,  when  U.K.-based  consumer  credit  data  sup¬ 
plier  Experian  signed  up  new  users  for  web  access,  its  paper- 
based  system  processing  took  48  hours — and  an  average  of  2 


12  STRATEGIC  DIRECTIONS 


percent  of  the  user  population  called  in  each  month  for  a 
password  reset.  Since  implementing  RSA  Security’s 
ClearTrust  web  access  management  solution,  new  users  now 
sign  up  online,  and  most  password  resets  are  performed 
without  IT  help,  resulting  in  lower  account  administration 
costs  and  better  client  satisfaction  and  security. 

Automated  user  provisioning 

AS  MORE  AND  MORE  COMPUTER  APPLICATIONS  ARE 

extended  to  a  widening  array  of  employees,  partners,  and 
customers,  managing  application  security  is  becoming 
impossibly  complex. 

Automating  account  provisioning  can  help.  Solutions  from 
such  vendors  as  Courion  Corp.,  Waveset,  and  Business  Layers 
enable  the  creation  and  deletion  of  accounts  and  user  IDs 
without  system-by-system  administrator  intervention.  The 
efficiency  and  return  on  investment  such  solutions  deliver 


has  prompted  major  network  and  systems  management  ven¬ 
dors  such  as  Computer  Associates  and  IBM/Tivoli  to  add 
automated  account  provisioning  to  their  suites  of  solutions. 

For  example,  just  automating  password  resets  can  save  sig¬ 
nificant  money.  Gartner  Inc.  has  estimated  that  each  one 
costs  $20  and  takes  about  7.5  minutes  while  users  are  authen¬ 
ticated.  No  less  than  30  percent  of  calls  to  enterprise  cus¬ 
tomer  support  centers  involved  password  problems, 
according  to  Gartner.  Many  companies — such  as  General 
Electric — use  technology  such  as  Courion’s  PasswordCourier 
to  solve  the  problem.  GE  expects  the  number  of  passwords 
automatically  reset  by  PasswordCourier  to  reach  10,000  per 
month,  as  well  as  help  the  company  reduce  helpdesk  calls  by 
several  thousand  every  month. 

At  Atlanta-based  SunTrust  Banks,  each  password  reset 
request  took  1 1  minutes  and  accounted  for  some  25  percent  of 
helpdesk  call  volume.  Since  implementing  PasswordCourier, 
SunTrust  password  resets  are  done  in  a  minute  or  less.  Sd 


SunTrust  Banks  on  Courion’s  Automated  Provisioning 


SunTrust  Banks,  Inc.  operated  as  an  organization  of 
28  banks  up  until  2000  when  it  organized  under  a  single 
bank  charter.  The  bank's  combined  infrastructure 
included  multiple  operating  systems  and  custom  and 
legacy  applications.  The  bank  was  comprised  of  differ¬ 
ent  business  units  and  approximately  30,000  users 
(employees  and  contractors),  which  required  the  equiv¬ 
alent  of  about  60  FTEs  for  user  administration. 

As  SunTrust  set  out  to  upgrade  its  identity  management 
operations,  key  business  drivers 
included:  immediate  enforce¬ 
ment  of  corporate  termination 
policies;  fully  auditable  account 
management  process;  improved 
provisioning  SLA's;  easier  end 
user  access,  and  reduced  user 
administration  headcount. 

BRANCHING  OUT  INTO  ROLE-BASED  ACCESS 
CONTROL 

SunTrust  deployed  Courion's  Identity  Management 
Suite™,  anchored  by  AccountCourier®  and 
PasswordCourier®  for  integrated  user  provisioning  and 
self-service  password  management.  SunTrust  leveraged 
role-based  access  control  with  its  on-line  and  retail 
banking  division. 

A  self-service  portal,  now  being  deployed,  will  enable 
managers  (whose  groups  have  been  defined  in  roles)  to 


provision  employees  with  very  little  information,  specif¬ 
ically  employee  name,  role,  and  location.  Behind  the 
scenes,  Courion's  AccountCourier  discovers  required 
technical  information,  and  through  roles  and  business 
rules  knows  what  access  to  grant. 

DRIVING  OPERATIONAL  EFFICIENCY:  SELF-SERVICE 
IDENTITY  MANAGEMENT 

Adding  automated  provisioning  and  self-service  pass¬ 
word  management  resulted  in  a 
positive  trend  in  end  user  adop¬ 
tion,  and  cost,  security  and  serv¬ 
ice  improvements. 
PasswordCourier  generated 
immediate  cost  savings  through 
the  reduction  of  password-reset 
calls  to  SunTrust's  help  desk.  AccountCourier  provided 
an  added  layer  for  enforcement  of  termination  policies 
across  the  enterprise,  and  broad  support  of  platforms 
and  provisioning  functionality. 

When  fully  defined  roles  and  a  fully  automated 
auditable  account  management  process  are  realized, 
SunTrust's  service  level  agreement  (SLA)  for  on-boarding 
a  new  employee  will  decrease  from  days  to  just  minutes. 

For  more  information  on  identity  management  opti¬ 
mization,  visit  www.courion.com/cso  ore-mail 
cso@courion.com 


STRATEGIC  DIRECTIONS  13 


the  tactical  battle 


ADVERTISING  SUPPLEMENT 


Are  NETWORKS 


N  MANY  ORGANIZATIONS,  THE  “ENTER¬ 
PRISE  network”  is  actually  an  arcane,  ad  hoc  com¬ 
plex  of  separate,  autonomous  services  that  supports 
diverse  applications  running  at  the  behest  of  various 
enterprise  functions  and  lines  of  business. 
Organized,  it  isn’t. 

It’s  all  far  too  convoluted,  and  managing  such  a  complex 
infrastructure  requires  a  throng  of  protocols  to  master,  a 
multitude  of  service  agreements  and  maintenance  contacts 
to  track,  a  horde  of  programs  to  patch.  Total  sum  of  this 
equation  equals  some  serious  cash. 


What’s  more,  getting  a  coherent  view  of  a  complex,  multi¬ 
layered,  multi-protocol  network  is  tough.  So  inefficiencies — 
traffic  bottlenecks,  under-utilized  bandwidth,  duplicate 
facilities — are  inevitable,  and  vulnerabilities,  such  as  unde¬ 
tected  single  points  of  failure,  remain  unrecognized  and 
unaddressed. 

“In  many  ways,”  observes  Chris  Zannetos,  president  and 
CEO  of  Courion  Corp.,  “our  industry  has  not  been  fully  pre¬ 
pared  for  the  operational  and  organizational  issues  created 
by  ubiquitous  computing  and  ubiquitous  access.”  This  situa¬ 
tion  will  only  be  further  exacerbated  by  the  advent  of  wire- 


PHASING  IN  BUILT-IN  SECURITY 


Like  many  new  ways  of  doing  business,  building 
security  into  applications  and  networks  is  best 
accomplished  in  phases. 

^QfS6  One 

Train  your  developers  and  system  architects. 

Conduct  pre-production  application  level  vulnera¬ 
bility  testing  of  both  critical  and  non-critical  apps 
that  includes  feedback  to  developers  and  regular 
reassessments. 

Thoroughly  test  your  DMZ  for  vulnerabilities  with 
an  eye  to  root  causes  and  systematic  solutions. 

Deploy  application-level  firewalls  for  moderately- 
as  well  as  critically-important  web-based  applica¬ 
tions. 


Phase  Two 


Conduct  a  thorough  vulnerability  assessment  of 
your  internal  network,  focusing  on  root  causes  and 
fixes. 

Initiate  regular  application-level  vulnerability 
scans. 

Deploy  intrusion  detection  systems  and  accompany¬ 
ing  monitoring  and  response  processes  at  key  network 
access  points— and  until  then  ensure  that  log  files  on 
critical  network  devices  are  habitually  reviewed. 

Create  and  adopt  a  systems  development  process 
that  ensures  security  requirements  are  addressed 
and  met  throughout  the  development  lifecycle. 

Keep  training  your  developers  and  system 
architects. 


14  STRATEGIC  DIRECTIONS 


ADVERTISING  SUPPLEMENT 


FIVE  STEPS  TO  NETWORK  SEGMENTATION 


WHEN  YOU  UNDERTAKE  NETWORK  SEGMENTATION,  EXPERTS  ADVISE  THAT  YOU  FOLLOW  THESE  STEPS: 

1  Talk  to  others  who've  done  it  successfully  in  environments  like  yours  so  you  can  leverage  their 
experience.  Many  organizations  segment  networks  into  a  DMZ,  a  semi-public  segment  (mail 
servers,  web  servers,  basic  DNS  service),  a  trusted  segment  (accessible  only  by  trusted  hosts),  and 
a  private  segment  (hosting  user  workstations  and  allowing  only  outgoing  traffic  flow). 

2  Make  sure  you  know  your  network  well  before  starting  any  segmentation  design  work.  For 
instance,  what  protocols  does  your  business  depend  on?  Although  TCP/IP  has  become  dominant, 
you  may  find  that  other  network  protocols  still  play  an  important  role. 

3  Be  aware  of  how  network  segmentation  may  impact  your  operations  model.  Example:  if  your  moni¬ 
toring  protocol  is  SNMP  or  ICMP,  what  will  segmentation  do  to  your  service  levels? 

4  Understand  your  network  traffic.  You  need  to  grasp  the  details  and  the  larger  patterns,  so  don't 
rely  on  a  one-day  traffic  sample. 

5  Use  a  small  pilot  project  to  develop  a  network  segmentation  strategy  and  then  implement  in  increments. 


less,  PDA,  Internet  cellphone,  and  other  technologies,  he 
says:  “As  always,  the  understanding  of  the  operational  chal¬ 
lenges  lags  the  understanding  of  the  business  opportunities 
created  by  these  technologies.” 

Building  security  into 
the  network 

THE  REALITY  IS  THAT  CIOS  NEED  TO  FIND  A  WAY  TO 

build  security  into  the  bones  of  the  network.  For  starters,  they 
need  to  build  in  lots  of  availability,  scalability,  and  manage¬ 
ment  automation  into  both  applications  and  the  network 
infrastructures  that  support  them.  Doing  this  requires  a  com¬ 
prehensive,  top-down  view  of  the  ways  applications,  systems, 
network  infrastructures,  and  security  safeguards  interconnect. 

Meanwhile,  threats  to  the  enterprise  network  are  intensify¬ 
ing.  Once  upon  a  time,  security  threats  were  mostly  single¬ 
mode,  making  them  easy  to  eradicate  with  a  single  product. 
But  no  longer.  Today,  we  face  blended  threats  of  such  com¬ 
plexity  that  the  solutions  to  address  them  must  combine  the 
capabilities  of  several  security  products. 

One  answer  is  network  segmentation.  Ever  since  routing 
protocols  have  become  commonplace  in  business  networks, 
the  importance  of  network  segmentation  as  a  security  strat¬ 
egy  has  grown.  The  issue:  routable  protocols  (of  which 
TCP/IP  is  the  supreme  example)  are  designed  to  link  any¬ 
where  with  everywhere  else,  so  they’re  being  used  by  more 
and  more  organizations  and  individuals — as  well  as  by  crim¬ 
inals  who  exploit  them  to  launch  the  likes  of  MyDoom, 
SoBig,  and  Slammer. 

Because  network  segmentation  physically  separates  a  net¬ 
work  into  distinct  parts,  it  provides  a  means  to  manage  the 


flow  of  routable  traffic  and  protect  data  and  applications.  A 
network  segment  has  its  own  firewall  (implementing  rules 
appropriate  to  its  needs),  can  have  it’s  own  hub  or  switch,  is 
typically  assigned  a  contiguous  range  of  IP  addresses,  and 
may  include  many  machines  or  just  one. 

Data  moving  between  network  segments  must  pass 
through  segment  firewalls,  and  high-risk  public  servers  are 
generally  located  in  a  heavily  monitored  network  “demilita¬ 
rized  zone,”  or  DMZ,  where  attacks  can  more  easily  be  iso¬ 
lated  and  controlled. 

For  example,  the  SQL  Slammer/Sapphire  Worm,  which 
struck  in  January  2003,  caused  an  estimated  $1  billion  in 
damage.  However,  one  Fortune  500  company  that  operates 
more  than  100  process  control  networks  worldwide  escaped 
unscathed.  How?  By  using  risk-based  network  segmentation, 
75  CyberGuard  VPN/firewall  appliances,  and  e-DMZ 
Security’s  Co-Managed  Firewall  Service,  which  provides  24/7 
event  management  and  production  support.  Within  two 
minutes  of  the  Slammer  attack,  e-DMZ  was  able  to  query  the 
company’s  entire  environment  and  determine  that  none  of 
the  firewalls  was  allowing  access  through  the  affected  port. 

No  wonder  network  segmentation  is  widely  used  in  secu¬ 
rity-intensive  special-purpose  networks,  such  as  those  sup¬ 
porting  funds  transfer,  process  control  transactions,  and 
research  and  development. 


WHAT'S  A  BLENDED  THREAT? 

•  Uses  multiple  methods  to  attack  and/or  propagate 

•  Causes  harm,  sometimes  in  multiple  ways 

•  Automated,  so  can  be  triggered  without  user  action 

•  Exploits  vulnerabilities 


STRATEGIC  DIRECTIONS  15 


ADVERTISING  SUPPLEMENT 


Braxton  County  Public  Schools  Finds 
Affordable  Network  Security 


STUDY 


TO  GET  THE  NETWORK  SECURITY  functionali¬ 
ty  he  needed.  Sterling  Beane,  director  of 
technology  for  the  West  Virginia-based 
Braxton  County  Public  School  system,  found  himself  fac¬ 
ing  the  prospect  of  implementing  a  piece-meal  solution 
built  by  cobbling  together  products  from  various  vendors. 

What's  more,  as  the  only  person  experienced 
enough  to  install  and  manage  the  system  he  would, 
most  likely,  be  doing  all  the  work  himself  across  the 
school's  nine  locations-with  budgets  so  tight,  help 
was  not  likely.  It  was  an  impossible  situation,  recalls 
Beane,  with  a  "learning  curve  that  was  just  too  big 
and  an  implementation  curve  way  too  daunting." 

What  he  needed  was  a  way  to  integrate  all  the  func¬ 
tions  he  was  looking  for  into  a  single,  easy  to  use 
solution  that  he  could  manage  from  his  office.  And  in 
2003,  he  found  exactly  what  he  needed  with 
Symantec's  Gateway  Security  5400  Series  solution. 


FUNCTIONS  INTEGRATED  AND  MANAGEMENT 
CENTRALIZED 

"This  product  is  everything  I  was  hoping  to  find," 
reports  Beane.  "It  has  all  the  functionality  I  wanted 
including  firewall  protection,  automatic  spam  block¬ 
ing  and  intrusion  detection.  And  because  it's  all  inte¬ 


grated,  I  can  centralize  the  management.  And  I  was 
simply  amazed  at  the  through  put,"  he  adds.  "I 
expected  a  slow  down,  but  my  Internet  connection  is 
not  one  bit  slower  than  it  was  before." 

Today,  Beane  can  easily  look  at  any  of  the  boxes  on 
his  network  across  the  nine  campuses,  checking  to  see 
if  anyone  is  attempting  to  hack  in  and,  if  they  are, 
what  methods  they're  using.  Moreover,  he  can  proac¬ 
tively  use  the  analysis  to  pinpoint  areas  where 
Braxton  can  make  changes  to  enhance  security.  Most 
importantly:  he  can  do  it  all  himself. 

And  as  the  sole  person  responsible  for  keeping 
Braxton's  network  secure,  Beane  also  appreciates  how 
Symantec  Security  Response  keeps  him  updated. 

"I  don't  have  to  worry  about  updating  the  antivirus 
definitions,  intrusion  detection  signatures,  or  content 
filtering  lists,"  explains  Beane.  "I  just  set  the  time  I 
want  updates  to  happen  and  they  do;  the  box  updates 
itself  and  Symantec  will  notify  me  if  there's  a  new  threat. 

"This  is  an  affordable  solution— even  with  the  limit¬ 
ed  resources  of  a  public  school  system,"  he  adds. 

For  more  information  about  Symantec's  solutions,  visit 
www.symantec.com 


Symantec 


The  Intelligent  Network 

IN  THE  END, THE  GOAL  IS  TO  BUILD  A  NETWORK  THAT 

can  apply  a  level  of  intelligence  to  security  issues. 

“Businesses  need  to  take  a  more  holistic  approach  to  secu¬ 
rity  instead  of  the  protect-the-perimeter  approach  employed 
by  many  companies,”  says  Hossein  Eslambolchi,  chief  infor¬ 
mation  officer  and  chief  technology  officer  at  AT&T. 

Thus,  AT&T  is  evolving  its  network  and  the  managed  serv¬ 
ices  it  supports  by  it  toward  what  it  calls  “application  aware¬ 
ness.”  The  plan  calls  for  a  single,  global  photonic 
infrastructure  that  automates  and  simplifies  every  applica¬ 
tion  by  providing  built-in  network  intelligence  that  antici¬ 
pates  user  needs,  self  diagnoses  and  self-heals  to  keep  the 
network  running  smoothly.  The  result: 


•  Dynamic  deployment  of  applications  to  maximize  server 
utilization,  boost  user  experience,  and  cut  capital  outlays. 

•  Automatic  deployment,  distribution,  scaling,  and  disaster 
recovery  of  web  services,  web  applications,  SIP  applica¬ 
tions,  and  dynamic  content. 

•  Self-provisioning  of  virtual  private  networks  (VPNs)  so 
enterprises  and  their  applications  can  be  linked  with  cus¬ 
tomers,  suppliers,  and  employees. 

•  Reliability,  security,  and  business  continuity  built  into 
every  layer. 

“Today’s  hybrid  security  threats  require  tighter  integration 
of  multiple  technologies,”  says  Eslambolchi,  “and  a  carefully 
planned  defense-in-depth  strategy  incorporating  some 
aspect  of  all  security  elements.”  Sd 


16  STRATEGIC  DIRECTIONS 


Model  5420  Shown.  Symantec  and  the  Symantec  logo  arc  U.S.  registered  trademarks.  Symantec  Gateway  Security  is  a  trademark  of  Symantec  Corporation  ©2003  Symantec  Corporation.  All  rights  reserved 


Today’s  threats  require  a  lot  more  than  a  firewall. 
This  is  a  lot  more  than  a  firewall. 


Firewall 
Intrusion  Prevention 
Intrusion  Detection 
Virus  Protection 
Content  Filtering 
Anti-Spam 
VPN 


Introducing  the  Symantec™  Gateway  Security  5400  Series.  It  wasn’t  long  ago  that 
a  firewall  provided  all  the  perimeter  protection  an  enterprise  needed.  But  that  was 
before  blended  threats  like  Slammer  and  Blaster.  Now  there’s  the  Symantec  Gateway 
Security  5400  Series,  full  inspection  firewall  appliances  that  integrate  intrusion 
prevention  and  intrusion  detection,  virus  protection,  content  filtering,  anti-spam  and 
VPN.  The  result  is  a  better  defense  against  complex  attacks  and,  thanks  to  centralized 
management  capabilities,  greater  control  over  your  organization’s  perimeter  security. 
To  learn  more  or  to  receive  our  free  multimedia  CD,  “Symantec  Gateway  Security  5400 
Series,”  visit  http://ses.symantec.com/SGS5400  or  call  800  745  6054. 


Symantec. 


the  tactical  battle 


ADVERTISING  SUPPLEMENT 


COME  TOGETHER: 


Integrating 
Enterprise  Security 

Management 


OOK  AT  THE  AMOUNT  OF  DATA 
that  security  professionals  are  faced 
with,”  says  Toby  Weiss,  Computer 
Associates’  senior  vice  president, 
eTrust  Security  Management.  Firewall 
systems,  intrusion  detection  systems,  access  control  systems, 
hosts,  etc. — each  produces  too  many  events  for  administra¬ 
tors  to  deal  with.  Bottom  line,  says  Weiss:  “Integration 
between  security  solutions  and  between  security  and  net¬ 
work/systems  management  is  essential.” 

For  example,  integration  is  the  motivation  behind 
Symantec’s  Enterprise  Security  Architecture,  an  integration 
platform  comprising  a  Java  agent,  a  web  application  server, 
relational  datastore,  an  LDAP  directory,  and  a  web  browser- 
based  console.  The  platform  does  the  following: 

•  Manages  several  Symantec  products,  including  Enterprise 
Firewall,  Intruder  Alert,  and  AntiVirus; 

•  Collects  data  from  third-party  applications  and  forwards 
it  to  other  third-party  management  systems; 

•  Offers  a  role-based  administrative  domain  model  that 
allows  delegated  administration  along  physical  or  organi¬ 
zational  lines,  as  well  as  event  management  or  product 
policy  configuration  lines; 

•  Provides  a  unified  policy  configuration  management  sys¬ 
tem  that  can  be  used  across  all  Symantec  Enterprise 
Security  products. 

This  kind  of  integration  enables  greater  flexibility  in 
managing  the  security  lifecycle — threat  awareness,  policy 
definition,  implementation,  and  monitoring — by  bringing 
these  elements  together  into  a  common  management  para¬ 
digm. 

Or  into  a  single  appliance.  Symantec’s  Gateway  Security 
5400  Series,  for  instance,  integrates  firewall,  virtual  private 
network  (VPN),  antivirus,  intrusion  detection  and  preven¬ 
tion,  content  filtering,  anti-spam,  and  high  availability  and 
load  balancing  components  into  an  appliance  that  protects 
networks  at  the  gateway  to  the  Internet  or  subnets  of  larger 
wide-area  and  local-area  networks  (WANs  and  LANs). 


Top  Layer  Networks’  Attack  Mitigator  intrusion  prevention 
solution  stops  hybrid  attacks  such  as  HTTP  worms,  DoS  / 
DDoS  attacks,  protocol  and  traffic  anomalies,  IP  spoofing, 
SYN  flood  attacks — in  real  time — allowing  network  admin¬ 
istrators  full  control  in  selecting  how  the  device  will  respond 
to  detected  attacks.  Precise  but  flexible  actions  against  block¬ 
ing  malicious  and  suspicious  traffic  include  monitoring, 
alerting,  limiting,  and  blocking. 

“By  eliminating  the  need  to  deploy  and  manage  multiple 
security  products  from  different  vendors,”  says  Greg  Gotta, 
vice  president,  gateway  and  network  security,  at  Symantec, 
“integrated  security  appliances  deliver  comprehensive  pro¬ 
tection  while  reducing  total  cost  of  ownership.” 

Indeed,  integrating  and  centralizing  security  management 
functions  can  save  vast  amounts  of  IT  staff  time  and 
resources — not  only  because  tasks  like  virus  updates  can  be 
handled  automatically  without  relying  on  end  users,  but  also 
because  once  updates  and  patches  are  applied,  the  chances  of 
being  successfully  attacked  drop  considerably. 

For  example,  Computer  Associates’  eTrust  InoculatelT  has 
allowed  the  Plano,  Texas,  Independent  School  District  to 
manage  virus  updates  on  23,000  workstations  from  a  single 
point  of  management — each  workstation  is  updated  every 
time  a  user  logs  in.  Denial  of  service  attacks  are  prevented 
because  eTrust  Inoculate  IT  also  locks  down  desktop  agents 
so  users  cannot  access  settings. 

After  deploying  eTrust  Antivirus,  Audit,  and  Intrusion 
Detection,  Colorado  Springs  School  District  1 1  decreased  the 
amount  of  time  needed  to  detect  and  repair  virus  damage 
from  3,500  to  52  hours  per  year.  Server  uptime,  formerly 
“more  down  than  up,”  is  now  almost  99  percent. 

“More  security  doesn’t  make  you  more  secure — better 
management  does,”  notes  CA’s  Weiss.  “The  company  that 
knows  where  their  IT  assets  are,  what  the  vulnerabilities  are, 
and  has  the  correlating  technology  to  find  out  what  is  really 
happening  in  the  overwhelming  sea  of  security  data  they  are 
receiving  will  fare  much  better  than  a  company  that  doesn’t 
have  this  kind  of  management  in  place.” 


18  STRATEGIC  DIRECTIONS 


ADVERTISING  SUPPLEMENT 


Should  you  outsource  network  security? 


MORE  FLEXIBLE  AND  DYNAMIC  OUTSOURCING 
arrangements —  made  possible  mostly  by  advances  in  network 
management  systems  and  remote  technologies — offer  new  ways 
to  get  help  with  network  security.  Indeed,  Forrester  Research 
reports  that  more  than  70  percent  of  Global  3500  companies 
use  managed  services,  notably  for  disaster  recovery  and  hosting. 

Outsourcing  network  security  can  offer  the  following 
advantages: 

•  Flexibility  and  control.  “Co-managing  still  provides  the 
best  combination  between  outsourcing  and  in-sourcing,” 
says  Kris  Zupan,  CISSP,  chief  executive  officer/chief  technol¬ 
ogy  officer  at  e-DMZ  Security.  “As  network  volatility 
increases,  these  benefits  will  become  more  important.” 

Zupan  notes  that  the  increased  complexity  and  speed  of 


attacks  are  requiring  constant  monitoring  and  skilled  profes¬ 
sionals  to  react  and  respond. 

•  Global  View.  Managed  security  services  providers  also 
tend  to  have  a  more  global  view  of  the  infosec  landscape. 
Conversely,  the  pervasive  nature  of  attacks  and  sometimes 
dramatic  steps  required  to  deal  with  them  (like  shutting 
down  a  mail  gateway  or  isolating  an  infected  network)  will 
put  more  emphasis  on  the  internal  control  of  the  security 
tools  at  a  company’s  disposal. 

•  Application  infrastructure  hosting.  The  enterprise  retains 
control  over  an  application,  outsourcing  all  infrastructure 
management.  Servers,  software,  data,  network  connections, 
firewalls,  and  so  on  may  actually  be  remotely  located  and 
operated  by  the  service  provider,  whose  environment  may  be 


An  Elegant  Firewall  for  a  Dangerous  Mission 


Controlling  access  to  mission-critical  systems  is  the 
goal  of  every  organization.  But  for  some,  including  one 
for  the  world's  largest  chemical  companies,  the  stakes 
can  be  very  high  indeed.  According  to  the  company's 
Chief  Security  Officer  (CSO),  a  firewall  breach  can  com¬ 
promise  finely  tuned  process  systems,  impacting  busi¬ 
ness  and  potentially  "threatening  employee  safety  and 
the  environment." 

After  September  11th  2001, 
one  of  the  company's  top  priori¬ 
ties  was  to  ensure  that  its  200 
plus  high-and  medium-risk  man¬ 
ufacturing  process  sites  were 
guarded  by  the  most  compelling 
firewall  solution  available.  Lacking  the  security  expert¬ 
ise  in-house  and  believing  this  is  one  of  the  situations 
that  warrant  seeking  expertise  from  the  outside,  the 
CSO  went  looking  for  help.  What  he  found  was  a  unique 
solution  from  Managed  Security  Service  Provider  E-DMZ 
Security.  According  to  this  CSO,  what  makes  e-DMZ's 
approach  so  compelling  is  the  rich  environment  e-DMZ 
Security  wraps  around  firewalls,  "the  way  they  archi¬ 
tected  the  entire  security  solution." 

THE  DIFFERENCE  IS  THE  ENVIRONMENT 

Foremost,  all  communications  and  control  are 
encrypted,  ensuring  security  is  tight;  and  there  are 


authorization  and  audit  trails,  so  every  change,  no  mat¬ 
ter  how  small,  is  logged,  approved  and  documented. 

And  unlike  other  offerings,  e-DMZ  had  already  done 
the  work  needed  for  centralizing  firewalL  management 
and  control  of  the  chemical  giant's  200+  distributed 
sites  -  all  of  which  have  firewalls  unique  to  their 
process  requirements.  The  sites  also  have  process  engi¬ 
neers  with  little  or  no  firewall 
expertise.  Fortunately,  e-DMZ's 
solution  was  designed  to  be  dis¬ 
tributed  under  just  such  condi¬ 
tions,  making  implementations 
cost-effective  and  timely. 

Another  compelling  feature  is 
the  abiLity  to  co-manage.  For  safety  and  security  rea¬ 
sons,  it's  essential  that  process  engineers  be  able  to 
make  changes  without  being  inhibited  by  the  firewall. 

"We  had  to  ensure  the  engineers  who  own  those 
processes  would  have  access  whenever  they  needed  it 
and  e-DMZ  provided  the  flexibility  without  compromis¬ 
ing  the  audit  trail,"  reports  the  CSO. 

"e-DMZ  came  in  with  the  technology  we  needed 
aLready  wrapped  around  the  firewalL;  it  is,  quite  simply, 
elegant" 

For  more  information  on  how  e-DMZ  Security  can  pro¬ 
tect  you,  visit  www.e-dmzsecurity.com 


Your  Information  Security  Ally™ 


STRATEGIC  DIRECTIONS  19 


ADVERTISING  SUPPLEMENT 


Hands-on  control  over  your  network, 
day  and  night 


STUDY 


'A  LOT  OF  SERVICE  PROVIDERS  ARE 
moving  to  web-based  customer  care  to 
enhance  their  customer  care  and  to 
increase  efficiencies,"  says  Sandra  Palumbo,  a  senior 
analyst  with  the  Yankee  Group.  "AT&T  is  the  furthest 
along  at  this  point.  Anecdotal  evidence  indicates  that 
customers  are  very  pleased  with  it." 


COST-EFFECTIVE  MANAGEMENT 

Why  are  customers  so  pleased?  One  reason  is  the  way 
the  AT&T  BusinessDirectSM  Portfolio  of  eServicing 
capabilities  enables  a  business  to  cost-effectively 
manage  its  AT&T  relationship  around  the  clock: 

•  The  AT&T  BusinessDirect  Web  Portal 

AT&T  BusinessDirect  is  a  secure,  award-winning  web 
portal  that  enables  you  to  perform  a  variety  of  net¬ 
work  and  routine  supplier-management  tasks. 
BusinessDirect  Map,  provides  point-and-click  man¬ 
agement  of  an  organization's  AT&T  inventory  and  view 
of  network  elements. 

"AT&T  is  committed  to  setting  a  new  benchmark  for 
the  industry,  process  automation  and  simplification, 
empowering  customers  with  network  visibility  and 
control,  and  collaborative  networking  capabilities," 
says  Bob  Sloan,  AT&T  eSales  &  Service  Vice  President. 
"By  putting  advanced  networking  tools  into  the  hands 
of  our  customers,  AT&T  is  giving  businesses  real-time, 
end-to-end  visibility  into  their  cross-application  envi¬ 
ronments  to  help  them  cut  costs,  gain  market  share 
and  link  with  their  customers  more  effectively." 

•  AT&T  eBonding 

For  customers  that  submit  very  high  volumes  of  elec¬ 
tronic  transactions,  such  as  service  orders  or  trouble 


reports,  AT&T  eBonding  is  the  answer.  AT&T  eBonding 
enables  a  customer's  internal  systems  to  interact 
directly  with  AT&T's  internal  systems  so  they  don't 
have  to  re-key  data  into  a  web  browser. 

"No  other  competitor  has  a  capability  similar  to 
AT&T's  eBonding  B2B  platform,  which  can  help  signifi¬ 
cantly  increase  a  customer's  efficiency  and  productiv¬ 
ity,"  Sloan  explains.  "AT&T's  core  network  support  sys¬ 
tems  are  linked  directly  with  large  business  cus¬ 
tomers'  purchasing,  accounting  and  maintenance  sys¬ 
tems  —giving  companies  unprecedented  access  to 
network  information  in  realtime." 

SUPPLIER  MANAGEMENT  ADVANTAGES 

What's  more,  the  AT&T  BusinessDirect  Portfolio  deliv¬ 
ers  supplier  management  advantages  that  position  a 
company  to: 

•  Make  cost  saving  business  decisions,  backed  by  criti¬ 
cal  AT&T  networking  performance  data. 

•  Proactively  address  changing  business  conditions  by 
re-routing  toll-free  calls  and  bringing  voice  trunks 
in  and  out  of  service. 

•  Launch  circuit  tests,  check  network  alarms,  and 
report  service  interruptions,  without  the  time-con¬ 
suming  call  screening. 

•  Deploy  disaster  recovery  plans  within  minutes. 

•  Review,  analyze  and  pay  your  bills,  place  orders, 
check  current  inventory,  and  more  —with  online 
convenience. 

•  Manage  your  AT&T  network  24x7 
For  more  on  how  AT&T  can  help 

your  company,  visit  AT&T 

www.att.com/business 


far  more  secure  and  robust  than  the  enterprise’s.  In-house  IT 
staff  is  free  to  concentrate  on  the  application  itself. 

•  Customizing  depth-of-service.  Using  managed  services 
enables  organizations  to  vary  their  depth  of  services  by 
application  or  line  of  business.  Outsourcing  the  manage¬ 
ment  of  a  particular  part  of  an  application  infrastructure 


provides  end-to-end  service — from  a  communications  link 
and  the  hardware  and  software  at  either  end  of  the  link  to 
installation,  monitoring,  and  management  services.  Fees  are 
based  on  performance  and  capability;  the  effect  is  to  trans¬ 
form  several  chunks  of  a  network  into  one,  supported  via  a 
single  point  of  contact.  $d 


ZO  STRATEGIC  DIRECTIONS 


Can  your  network  turn 
ness  as  we  kpow  it  into 
business  as  we  want  it? 


IT  CAN  IF  IT’S  DESIGNED  BY  THE  WORLD’S  NETWORKING  COMPANY.  Now  that  everything  is  on  it,  your 
network  is  more  important  than  ever.  So,  can  your  network  handle  the  demands  of  a  transformed, 
interconnected  and  very  demanding  new  world?  Is  it  wired  and  wireless  and  virtual  and  constantly 
available  to  authorized  personnel  and  nobody  else?  Is  it  in  lockstep  with  your  partners  and  three  steps 
ahead  of  your  customers?  At  AT&T,  we  don’t  just  carry  more  Internet  traffic  than  anyone  in  North 
America,  we’re  also  committed  to  building  simpler,  stronger  and  smarter  networking  environments. 
And  it’s  why  we’re  partnering  with  other  key  technology  companies  to  help  make  it  happen.  Can 
your  network  overpower  every  obstacle  in  its  way  and  actually  do  all  the  things  it  was  designed  to 
do  in  the  first  place?  We’d  like  to  introduce  you  to  one  that  can.  Just  call  1-888-889-0234. 


AT&T 

The  world's  networking  company5 


att.com/networking 


©2004  AT&T 


ADVERTISING  SUPPLEMENT 


recovery  &  continuity 

Building  the 

Survivable 

Network 


OR  MOST  BUSINESSES,  THE  COSTS  OF 
downtime  are  truly  staggering.  A  January  2004 
survey  from  PriceWaterhouseCoopers  shows 
that  a  company  with  $500  million  in  revenue 
could  lose  more  than  $4  million  annually 
because  computer  downtime  wrecks  productivity.  You  need 
more  specific  numbers?  According  to  Faulkner  Information 
Services,  a  retail  brokerage  would  lose  $6.45  million  per  hour 
of  downtime;  for  a  credit  card  sales  authorization  outfit,  the 
pricetag  would  be  $2.6  million  per  hour. 

If  this  sounds  bad,  it  is.  And  most  CIOs  don’t  want  to  know: 
Indications  are  mounting  that  too  many  organizations  have 
been  too  optimistic  for  too  long  about  just  how  bad  it  can  get. 

•  Nearly  a  third  of  organizations  have  no  manual  alterna¬ 
tives  to  their  digitized  data  and  processes,  according  to 
Gartner  Datapro. 

•  A  third  of  companies  say  they’ll  lose  data  or  operational 


THE  THREE  R'S  OF  SURVIVABILITY 

RESISTANCE:  The  ability  to  deter  attacks/failures 

RECOGNITION:  The  ability  to  recognize  attacks/failures 
and  assess  damage 

RECOVERY:  The  ability  to  provide  essential  services  and 
assets  during  an  attack/failure  and  recover  full  services 
afterward 


efficiency  in  the  event  of  disaster  because  of  insufficient 
planning  and  investment  in  business  continuity,  reports 
the  Economist  Intelligence  Unit. 

•  According  to  Meta  Group,  just  20  percent  of  Global  2000 
organizations  have  business  continuity  plans  effective 
enough  to  provide  a  strong  likelihood  of  surviving  a  dis¬ 
aster  without  lasting  adverse  impacts. 


SECURITY  POLICIES  THAT  WORK 


"Unless  policies  meet  business  needs  and  are  up  to  date  and  enforced,  they  will  fail,"  says  Christian 
Byrnes,  vice  president  and  service  director  at  META  Group. 

To  get  ahead  of  the  vulnerability  curve,  more  and  more  organizations  are  using  automated  tools  to 
help  manage  enterprisewide  security  policies. 

After  using  Solsoft,  Inc.'s  Policy  Server  security  policy  management  solution,  France's  premier  press 
distribution  company,  Nouvelles  Messageries  de  la  Presse  Parisienne,  cut  its  security  update  process  from 
two  full  days  to  30  minutes.  Policy  Server  flexibly  supports  NAT,  VPN,  and  firewalls  in  the  same  package  so 
organizations  can  improve  security  using  their  current  technology  and  with  minimal  migration  effort. 

Using  these  kinds  of  tools  helps  IT  staff  keep  networks,  systems,  and  application  in  compliance  with 
established  security  policies,  helps  reduce  vulnerability  to  attack  and  thus  lower  incidence  response 
costs,  and  makes  it  easier  to  adjust  both  policy  and  compliance  efforts  to  changing  business  conditions. 


22  STRATEGIC  DIRECTIONS 


SOLUTIONS  CENTER 


iverhead 

networks 


Riverhead  Networks 
Steve  Woo, 

VP,  Marketing  &  Business  Development 
info@riverhead.com 
(T)  408.253.5700; 

(F)  408.253.5735 

www.riverhead.com 

Riverhead  Networks  delivers  high-performance  solutions  that  defeat 
today's  most  powerful  DDoS  attacks.  Featuring  full  Gigabit  line-rate 
attack  processing  and  "Zombie  Killer"  technologies  that  identify  and 
block  more  than  100,000  attackers  per  device,  Riverhead's  new  XT  Series 
appliances  protect  enterprises  and  service  providers  alike  against  the 
largest,  most  massively  distributed  attacks. 


POST 


PostX 

Contact:  Michael  Weir 

mweir@postx.com 

408.851.3598 


http://www.postx.com 

PostX  ensures  trusted  delivery  of  information  vital  to  business  and  cus¬ 
tomer  relationships  enabling  organizations  to  deploy  a  variety  of  trusted 
messaging  methodologies  to  meet  security  and  usability  requirements  for 
Secure  Email,  Secure  Statements,  and  one  to  one  Trusted  Messaging; 
while  creating  a  more  competitive  organization  in  today's  fast-paced, 
global  economy. 


&  SOLSOFT 


Solsoft,  Inc. 

Toll  Free.  +1-877-646-8225 
Fax.  +1-650-428-2804 


www.solsoft.com/cxo 

Solsoft  is  the  leading  provider  of  network  security  policy  management 
solutions.  The  company's  flagship  product,  Solsoft  Policy  Server,  delivers 
centralized  security  configuration  management  for  multi-vendor  fire¬ 
walls,  routers,  switches,  and  VPNs.  Customers  worldwide  use  Solsoft's 
solution  for  initial  security  policy  deployments,  on-going  security  policy 
updates,  audits,  and  response  to  security  attacks. 


TUMBLEWEED 

COMMUNICATIONS 


Tumbleweed  Communications 
Sales  Department 
info@tumbleweed.com 
800-696-1978 


www.tumbleweed.com 

Tumbleweed  Communications  is  a  leader  in  providing  secure  Internet 
messaging  software  products  for  enterprise  and  government  customers 
of  all  sizes.  Tumbleweed  solutions  are  used  to  make  email,  file  transfer, 
and  Web  communications  secure,  reliable,  and  automated.  Founded  in 
1993,  Tumbleweed  is  trusted  by  over  600  customers  worldwide. 


The  survivability  imperative 

BUSINESS  CONTINUITY  IS  ABOUT  SURVIVABILITY,  the 

ability  of  a  system  (and  those  supporting  it)  to  fulfill  its  mission 
in  a  timely  manner  despite  the  impacts  of  disastrous  events. 

As  demand — from  customers,  employees,  shareholders, 
suppliers,  and  regulators — 'for  continuous  operations  inten¬ 
sifies,  business  processes  and  the  applications  and  informa¬ 
tion  that  support  them  are  becoming  increasingly  digital, 
increasingly  automated,  increasingly  accessible  via  public 
networks,  and  increasingly  vulnerable  to  the  vagaries  of  com¬ 
plexity:  failure,  accident,  and  attack. 

Thus,  business  continuity  planning  and  development  and 
deployment  of  the  policies  and  technologies  of  survivability 
have  become  an  imperative. 

The  good  news:  A  well-developed  business  continuity  plan 
can  lower  your  organization’s  insurance  premiums.  Begin 
with  an  assessment  that: 

•  Delineates  the  costs  of  disruption  to  normal  business 
operations. 

•  Pinpoints  critical  business  functions,  operations,  facilities 
and  departments,  and  then  defines  the  continuity  require¬ 
ments  of  their  associated  systems,  networks,  facilities,  and 
personnel.  S(l 


FOUR  QUESTIONS  THAT  COULD  SAVE 
YOUR  COMPANY 

If  you  want  effective  business  continuity  planning,  start  by 
honestly  answering  the  following  questions: 

What  essential  services  must  survive  attack/failure?  Have 
you  determined  which  of  your  business  processes  are  busi¬ 
ness  critical,  which  are  mission-critical  and  cannot  tolerate 
unavailability  or  data  loss? 

What  affect  will  attack/failure  have  on  the  company?  What 
will  downtime  or  total  business  failure  actually  cost  the 
organization?  What  is  your  mitigation  strategy  should  those 
events  occur? 

What  changes  in  architecture,  processes  and  requirements 
can  improve  survivability?  Are  your  key  locations  hardened? 
Have  you  established  availability  and  security  service  levels 
with  partners,  customers?  Are  you  able  to  comply  with  cur¬ 
rent  and  forthcoming  laws  and  regulations? 

Which  changes  offer  the  best  payoff?  Have  you  generated 
solid  business  rationales  to  support  your  risk  mitigation 
investment  choices? 


STRATEGIC  DIRECTIONS  23 


The  right  management  should  do  more  than  just  protect. 

It  should  also  enable. 

eTrust™  Security  Management  Software 


With  eTrust  security  management  software,  your  information  isn't  just  safeguarded  from  internal  and  external  threats. 
We  provide  authorized  customers,  partners,  and  employees  with  appropriate  access  that  can  help  your  business  grow. 
In  addition  to  securing  data,  eTrust  also  provides  a  single  view  of  your  security  environment,  so  you  can  make  real-time 
decisions  based  on  comprehensive  information.  If  you're  looking  for  ways  to  minimize  risk  while  maximizing  your 
potential,  or  to  get  a  white  paper,  go  to  ca.com/security. 

Computer  Associates® 

©  2003  Computer  Associates  International,  Inc.  (CA).  All  rights  reserved. 


Join  us. 

Call  800.355.0246 
www.cio.com/conferences 


Join  your  peers,  winners  of  this  year’s  CIO  100  award 


August  22-24, 2004 


isored  by 


"I’ 

l*’ 

ital 


^ DS 


FUJITSU 


m  netflD  OSupportSoft 


invent 


Work  Smarter. 


This  year's  CIO  100 
Awards  Ceremony  is 
proudly  underwritten  by 

PeopleSoft, 


Presented  by 


The  Resource  for 
Information  Executives 


trendlines 


I.T.  MANAGEMENT 


In  Search  of 
Alignment  Answers 


HOW  SHOULD  CIOs  manage  their  applica¬ 
tion  portfolios?  How  can  a  business 
become  more  agile?  The  recently  formed 
Business  Technology  Management  (BTM) 
Institute  is  on  a  mission  to  answer  those 
questions. 


In  his  2002  book  The  Alignment  Effect , 
Faisal  Hoque  introduced  BTM  as  a  practice 
that  seeks  to  apply  management  science 
theory  to  IT.  For  starters,  Hoque  wants  to 
standardize  the  concepts  and  language  of  IT 
so  that  CIOs  and  other  executives  can  man¬ 
age  IT  value  the  way  manufacturing  man¬ 
agers  use  total  quality  management  to  pursue 
process  improvements. 

Hoque,  chairman  and  CEO  of  Enamics, 
an  IT  management  software  vendor,  is 


chairing  the  nonprofit  BTM  Institute  and 
providing  startup  funding  and  administra¬ 
tive  support  near  Enamics’  offices  in  Stam¬ 
ford,  Conn.  Hoque  says  he  hopes  to  build 
support  for  the  organization  by  conducting 
research,  soliciting  best  practices  from  lead¬ 
ing  companies,  publishing  white  papers  and 
books,  holding  events  and  eventually 
expanding  membership. 

The  founding  members  of  the  BTM 
Institute  include  IT  experts  from  academia 
(such  as  Robert  Zmud,  the  Michael  F.  Price 
chair  in  MIS  at  the  University  of  Okla¬ 
homa)  and  the  business  world,  including 
seven  current  and  former  CIOs.  Members 
are  charged  with  guiding  and  producing 
research  that  will  bring  IT  more  in  line  with 
traditional  business  functions — such  as 
finance — which  have  established  standard 
concepts  and  methods  for  management. 
“Areas  like  finance  and  marketing  have  a 
far  more  established,  repeatable  and  insti¬ 
tutionalized  way  of  managing  their 
processes  than  IT  does,”  Hoque  says. 

V.  Sambamurthy,  the  Eli  Broad  profes¬ 
sor  of  IT  at  Michigan  State  University  and 
cochair  (with  Zmud)  of  the  BTM  Institute 
Academic  Council,  says  the  group’s  part¬ 
nership  with  business  leaders  will  give  its 
research  more  credibility  with  practition¬ 
ers.  “Corporate  access  would  be  difficult 
to  get  if  we  did  this  individually,”  Samba¬ 
murthy  says. 

Andre  Spatz,  CIO  of  Unicef  and  a  mem¬ 
ber  of  the  institute’s  CIO  Council,  says  he 


This  Date  in 

IT  History 


Web  Technology 
Released  as  Freeware  | 

April  30, 1993 

Tim  Berners-Lee  (right),  a  physi¬ 
cist,  convinces  the  CERN  research 
lab  in  Switzerland  to  declare  on  this 
day  that  the  Web  technology  and 
program  code  should  be  in  the  public  domain, 
meaning  that  anyone  could  use  and  improve  it. 

It  was  a  fateful  decision  because  it  allowed  for 
the  Web  to  grow,  note  Berners-Lee  and  fellow 
researcher  Robert  Cailliau  in  their  online 
history  of  the  Web  (at  tivinginternet.com ). 

Speaking  of  World  Wide  Web,  Cailliau  gives 
this  explanation  for  its  name: 

"During  some  sessions  in  the  CERN 
cafeteria,  Tim  and  I  try  to  find  a  catching  name 
for  the  system.  I  was  determined  that  the  name 
should  not  yet  again  be  taken  from  Greek 
mythology.  Tim  proposes  ‘World-Wide  Web.'  I 
like  this  very  much,  except  that  it  is  difficult  to 
pronounce  in  French.” 

Chalk  one  up  for  collaboration.  At  the  end  of 
2003,  Berners-Lee  becomes  Sir  Tim,  awarded 
a  knighthood  in  his  native  Britain. 

■ 


wanted  to  participate  in  the  BTM  Institute’s 
efforts  because  there  is  a  dearth  of  practical 
research  on  IT  management.  “There’s  a  lot 
of  talk  and  conceptualization  about  IT  man¬ 
agement,  but  there’s  not  much  documented 
research  that  technology  and  business  are 
aligned  and  yet  work  together  in  different 
ways,”  says  Spatz.  “My  hope  is  to  see  some 
of  that  documented  and  actionable  for  the 
benefit  of  both  sides.”  -Jon  Surmacz 


“A  thousand  years  ago,  a  paradigm  shift  like 
the  printing  press  took  a  century.  In  recent 
years,  a  paradigm  shift  such  as  the  adoption 
of  cellular  phones  and  the  World  Wide  Web 

takes  just  a  few  years.”  -Ray  Kurzweil,  author  and  inventor 


o 


3  4  CIO  APRIL  1,  2004 


www.c/o.com 


PHOTO  LEFT  BY  STEVEN  VOTE:  TOP  RIGHT  BY  JOHN  SOARES:  BOTTOM  RIGHT  BY  FURN ALD/GRAY 


PRIMEPOWER  servers. 
Designed  for  the  business  that  never  stops. 


D  Outstanding  availability  and  highly  rated  service  and 
support  mean  your  business  will  be  up  and  running.  These 
days,  availability,  performance,  and  reliability  are  everything. 
As  you  look  to  im  prove  enterprise  uptime  and  increase  service 
levels,  you  need  to  demonstrate  measurable  short-term  return 
on  investment.  Enterthe  Fujitsu®  PRIMEPOWER™  line  of  Solaris™-compatible 
servers.  From  single  CPU,  rack-mounted  servers  to  enterprise-ready 
systems  that  scale  to  1 28  CPUs  in  data  center  applications,  we’ve  got 
you  covered.  With  superb  reliability,  industry-leading  performance,  and 
service  that  wins  customer  praise,  PRIMEPOWER  servers  can  dramatically 
boost  the  efficiency  of  your  business.  See  why  so  many  successful 
companies  trust  their  businesses  to  the  infinite  power  of  Fujitsu.  Get  your 
copy  of  our  FREE  white  paper,  Experiences  of  Enterprise  Customers, 
at  www.computers.us.fujitsu.com/ad/primepower  or  call  (877)905-3644. 


Fuffrsu 

THE  POSSIBILITIES  ARE  INFINITE 


©2003  Fujitsu  Computer  System  Corporation.  Fujitsu  and  the  Fujitsu  logo  are  registered  trademarks  and  PRIMEPOWER  is  a  trademark  or  registered  trademark  of  Fujitsu  Umited  in  the  United  States  and 
other  countries.  Solaris  is  a  trademark  or  registered  trademark  of  Sun  Microsystems,  Inc.,  in  the  United  States  and  other  countries.  For  more  information  on  PRIMEPOWER  servers'  performance,  visit 
www.ftsi. Fujitsu.com/services/prod  ucts/primepower/performance.html#benchmarks 


soft 


iuui  fjutential.  Our  passion 


Great  Moments  at  Work. 

4:42  pm  You're  not  stopped  in  the  hall  and 
asked  to  pull  yet  another  up-to-the-second 
project  report. 


004  Mu  rosoft  Corporation.  All  rights  reserved.  Microsoft,  Frontpage, 
•Path  the  Office  logo,  OneNote,  Outlook,  PowerPoint,  SharePoint, 
dow*  Windows  Server,  Visio,  and  "Your  potential.  Our  passion."  are 
er  registered  trademarks  or  trademarks  of  Mir  rosoft  Coi  poration  in 
Unit'  ll  States  and/or  other  countries 


V'-V-' 


me 


p|  :§*§§ 

W  Itf  I  WMmi. 


bm- : 


Introducing  the  new  Microsoft  Office  System. 

Now  users  can  do  more  for  themselves  so  you  can  focus  on 
the  important  things.  More  than  just  the  core  suite  you're 
familiar  with,  the  new  Microsoft®  Office  System  is  an  integrated 
system  of  easy-to-use,  expanded  programs,  servers,  services, 
and  solutions  that  help  end  users  be  more  self-sufficient. 
With  the  Microsoft  Office  Enterprise  Project  Management 
Solution  (including  Microsoft  Office  Project  Server  2003, 
Microsoft  Office  Project  Professional  2003,  and  Microsoft 
Office  Project  Web  Access),  users  can  have  access  and 
visibility  into  all  of  their  projects,  including  current  status, 
integrated  costs  from  business  systems,  risks,  and  all  project 
documents — all  on  their  own.  Which  might  just  be  the  most 
valuable  part  of  it  all.  To  find  out  how  the  Microsoft  Office 
System  can  work  for  you,  go  to  microsoft.com/officelT 


Microsoft 
Office  System 


More  than  what  it  used  to  be,  it's  now  a 
comprehensive,  customizable  system. 


Programs 

Access  2003 
Excel  2003 
Frontpage1®  2003 
InfoPath™  2003 
OneNote™  2003 
Outlook®  2003 


Servers 


Services 


PowerPoint®  2003  Project  Server  2003  Live  Meeting 

Project  2003  Live  Communications  Office  Online 


Publisher  2003 
Visio®  2003 
Word  2003 


Server  2003 

Exchange 
Server  2003 

SharePoint™  Portal 
Server  2003 


Solutions 

Solution  Accelerators 


Enabling  Technologies: 

Windows  Server™  2003,  Windows®  SharePoint  Services, 
Rights  Management  Services 


Microsoft* 


Office 


TM 


Peer  to  Peer 

Field-Tested  Ideas  from  CIOs  for  CIOs 


What  I  Learned 

in  School 

The  CIO  for  a  large  school  district  found  that 
listening  to  her  peers  on  the  educational  side 
helped  her  rebuild  IT’s  credibility 

BY  MARCIA  BOHANNON 

WHEN  I  JOINED  Jefferson  County  Public  Schools  as  CIO  in  mid-2002, 
I  knew  I  was  walking  into  a  troubled  situation.  My  predeces¬ 
sor  had  been  asked  to  leave  amid  allegations  of  poor  fiscal 
management.  IT’s  reputation  had  taken  a  huge  hit.  There  was 
so  little  trust  in  my  department  that  the  only  goal  identified  in 
the  2002-2003  district  strategic  plan  for  IT  was  to  end  the  year 
within  budget.  There  were  no  stated  service  or  performance 
expectations  and  certainly  no  expectations  of  strategic  input. 

There  was  also  the  matter  of  a  multimillion-dollar  deficit 
that  had  to  be  paid  off  within  two  years,  higher  than  normal 
public  scrutiny  and  an  IT  staff  that  believed  it  had  paid  with  its 
own  blood  for  management’s  indiscretions. 

On  top  of  all  that,  the  CIO  position,  which  used  to  report 
directly  to  the  superintendent  (equivalent  to  a  company’s  CEO), 
now  would  be  reporting  to  the  COO.  I  knew  my  path  would 
be  a  lot  smoother  if  I  had  direct  access  to  the  superintendent 
and  her  direct  reports,  but  it  was  no  surprise  that  my  superin¬ 
tendent  was  now  organizationally  shielded  from  IT.  Jefferson 
County  Public  Schools  was  truly  an  organization  that  felt  it 
had  suffered  greatly  at  the  hands  of  poor  IT  management. 


Because  I  was  new  to  the  district — and  to  K-12  education  in 
general — I  knew  I  had  much  to  learn.  So  I  began  my  tenure  by 
meeting  with  people  across  the  district.  For  several  months,  I  did 
nothing  but  listen  and  ask  questions.  On  more  than  one  occa¬ 
sion,  I  was  told  that  my  predecessor  had  reorganized  IT  within 
weeks  of  his  arrival.  This  was  related  to  me  with  such  distaste 
that  I  knew  a  fast  turnaround  plan  would  not  work. 

It  quickly  became  apparent  to  me,  however,  that  some  imme¬ 
diate  reengineering  of  both  information  technology  and  dis¬ 
trictwide  processes  was  necessary.  I  decided  to  look  inward  first. 
During  my  discovery  phase  at  the  district,  I  uncovered  a  few 
ahas  that  identified  areas  for  potential  improvement.  One  was 
budget  management.  The  previous  IT  organization  had  four 
separate  departments,  and  their  budgets  were  not  managed  in 
any  coordinated  way.  So  I  encouraged  the  use  of  standard 
reporting  tools  for  monitoring  and  reporting  actual  expendi- 


38  CIO  APRIL  1 ,  2004 


www.c/o.com 


ILLUSTRATION  BY  ALISON  SEIFFER 


Robert  Otto 
CIO  and  CTO 


"We  have  a  motto  that  says  IT  will  not 
stand  in  the  way  of  what  the  business 

needs  tO  do."  —  Robert  Otto 


Great  Moments  at  Work. 


Success  Stories  of  an  IT  Hero 


The  United  States  Postal  Service, 
Washington,  D.C. 

Robert  Otto  started  his  professional 
career  as  a  clerk.  Today  he  is  the  CIO  and 
CTO  of  the  United  States  Postal  Service ®, 
which  processes  about  55  percent  of  the 
world's  daily  mail  volume.  Tasked  with 
reengineering  the  USPS's  technology 
infrastructure,  he's  led  an  effort  to  consol¬ 
idate  and  centralize  disparate  systems, 
standardize  tools  and  vendors,  upgrade 
the  network,  and  embrace  the  Web  and 
wireless  technology. 

Otto  and  his  team  have  built  an  advanced 
computing  environment  that  has  saved 
the  USPSR  some  $50  million  annually. 
More  than  30  Web-enabled  self-service 
applications  help  employees  manage 
items  such  as  health  benefits  and  life 
insurance,  as  well  as  training  on  demand. 

Last  year,  more  than  176  million  con¬ 
sumers  used  the  usps.com  website.  The 
USPS  also  introduced  a  hugely  popular 
desktop  service  called  Click-N-Ships, 
which  allows  mailers  to  create  their  own 
shipping  labels. 

Great  Moment  at  Work:  "Seeing  the 
positive  impact  this  project  has  had  on  the 
employees  and  customers  of  the  USPS." 

Microsoft  Office  System  salutes  those 
who  have  done  great  work  in  the  IT  field. 


Office 

©  2004  Microsoft  Corporation.  All  rights  reserved.  Microsoft  and  the  Office  logo  are  either  registered  trademarks  or 
trademarks  of  Microsoft  Corporation  in  the  United  States  and/or  other  countries.  The  names  of  actual  companies  and 
products  mentioned  herein  may  be  the  trademark  of  their  respective  owners. 


Peer  to  Peer 


tures  versus  budgeted  amounts.  And  I  provided  consistent  train¬ 
ing  in  the  use  of  these  reporting  tools.  I  also  now  require  each 
manager  to  estimate  expenditures  remaining  for  the  year  so 
that  we  can  more  accurately  predict  year-end  results.  Although 
we’re  still  working  on  this,  the  budget  process  has  improved  by 
leaps  and  bounds.  We  ended  the  2002-2003  fiscal  year  with 
enough  surplus  to  pay  off  the  technology  deficit  a  full  year  early. 

When  I  first  came  aboard,  I  discovered  that  we  had  more 
than  100  projects  going  on  within  IT,  with  only  75  people  in  the 
department.  We  had  no  formal  process  for  initiating,  planning, 
monitoring,  measuring  or  even  terminating  projects.  So  I  intro¬ 
duced  a  project  management  office  to  add  structure  and  disci¬ 
pline  to  the  management  of  projects  and  initiatives. 

I  also  reorganized  my  production  areas  to  align  with  cus¬ 
tomer  needs.  Where  before  my  departments  were  segregated 
according  to  product  expertise,  we  now  have  teams  of  product 
specialists  grouped  according  to  the  functions  they  perform. 


We  also  now  have  a  new  position  focused  solely  on  managing 
all  customer-facing  personnel.  The  infusion  of  new  ideas  and 
new  team  arrangements  are  promoting  cross-department  com¬ 
munication  where  it  did  not  exist  before.  But  cleaning  house 
internally  was  just  the  beginning. 

Those  of  us  leading  enterprisewide  IT  initiatives  understand 
that  IT  can’t  work  in  isolation.  Good  relationships  with  busi¬ 
ness  departments  are  critical  to  IT’s  success.  Here  again,  my 
department’s  reputation  was  poor.  Business  users  told  me  that 
during  a  recent  ERP  upgrade,  IT  had  made  decisions  about 
functionality  and  rollout  logistics  without  consulting  users.  My 
staffers  told  me  that  they  had  tried  to  ask  the  users  for  input, 
but  the  users  either  didn’t  know  what  they  wanted  or  couldn’t 
understand  what  they  were  being  asked  about.  Clearly,  we  had 
a  glitch  in  communication. 

So  one  of  the  first  things  1  did  was  add  a  staff  member  who 
focused  solely  on  client  communication,  bridging  the  gap 
between  technical  and  business  language.  Although  one  person 
within  an  organization  of  12,000  employees  cannot  interpret  all 
customer  needs,  she  has  already  made  tremendous  progress  in 
improving  interaction  between  the  instructional  departments 
and  IT  personnel.  For  instance,  my  new  teams  now  give  users 
a  head’s  up  about  planned  outages  and  what  kind  of  downtime 
they  might  expect.  I  consistently  receive  appreciative  feedback 
from  business  managers  about  this  improved  communication. 


In  1998,  the  school  district  implemented  PeopIeSoft  in  both 
HR  and  financial  systems.  When  I  was  hired  in  2002,  it  was 
clear  that  the  district  had  not  yet  achieved  enterprisewide  col¬ 
laboration  as  evidenced  by  the  high  number  of  point  applica¬ 
tions  still  in  use  and  the  many  piecemeal  customizations  needed 
to  maintain  existing  business  processes.  This  shortcoming 
offered  me  an  excellent  opportunity  to  make  a  real  difference. 
So  I  created  an  interdisciplinary  executive  steering  committee 
made  up  of  the  superintendent  and  her  business  unit  leaders  to 
help  with  decision  making  on  the  PeopIeSoft  implementation. 
This  group  reviewed  and  approved  all  customization  requests 
and  made  the  major  decisions  about  the  project.  Not  only  did 
the  formation  of  this  committee  move  the  burden  of  decision 
making  from  IT  to  the  business  where  it  belonged,  but  it  had 
the  added  benefit  of  educating  business  leaders  about  IT. 

My  next  step  was  to  broaden  the  committee’s  scope. 
Approximately  six  months  after  the  committee  formed,  I 
changed  the  scope  of  its  responsibilities  to  cover  all 
IT  initiatives.  Its  existence  has  improved  commu¬ 
nication  between  IT  and  business  immeasurably. 

One  of  the  first  challenges  for  any  CIO,  of 
course,  is  getting  a  seat  at  the  CEO’s  table  as  an 
equal  member  of  the  executive  team.  To  address 
this,  I  began  one-on-one  meetings  with  the  super¬ 
intendent.  Luckily,  my  manager  (the  COO)  was 
not  threatened  by  these  meetings,  which  introduced  me  to  the 
superintendent’s  style  of  decision  making  and  helped  me  to 
understand  what  was  important  to  her.  It  also  gave  me  a  chance 
to  explain  my  approach  and  how  IT  could  help  the  organiza¬ 
tion.  Establishing  this  contact  has  been  very  important  for  both 
of  us  to  build  much-needed  trust  and  respect. 

I  try  also  to  meet  with  individual  department  heads  as  much 
as  their  schedules  will  allow.  Each  time  we  meet,  it  offers 
another  chance  to  share  ideas  and  concerns.  My  experience 
with  similar  situations  in  the  past  has  taught  me  that  patience 
is  critical.  Listening  and  learning  has  helped  me  build  credibil¬ 
ity  faster  than  any  quick  turnaround  strategy  ever  would  have. 

I  still  have  a  long  way  to  go.  And  I  accept  that  IT  may  never 
find  a  place  at  the  superintendent’s  table.  If  you  find  yourself  in 
this  position,  the  key  question  to  ask  is:  Am  I  upset  because  my 
place  on  the  org  chart  is  damaging  the  business  or  throwing  up 
roadblocks  to  my  department’s  success?  Or  is  my  dissatisfac¬ 
tion  just  a  matter  of  wounded  pride?  Either  way,  I  counsel 
patience.  Perhaps  one  day,  you  and  I  both  will  be  able  to  pull  up 
a  chair  at  the  executive  table.  SEI 


Marcia  Bohannon  is  the  CIO  of  Jefferson  County  Pub¬ 
lic  Schools,  which  comprises  more  than  85,000  stu¬ 
dents  and  148  schools  west  of  Denver.  She  can  be 
reached  at  nnbohanno@jeffco.kl2.co. us. 


When  I  first  came  aboard,  I  discovered  that  we 
had  more  than  100  projects  going  on  within  IT, 
with  only  75  people  in  the  department. 


4  0 


CIO  APRIL  1,  2004 


www.cio.com 


Using  Citrix  to  consolidate  the 
complex  retail  IT  environment 
that  reaches  across  our  250 
locations  in  Europe  dramatically 
improved  the  performance  of 
our  applications.  It  also  cut  the 
TCO  for  this  IT  environment  by 
over  20%.” 


Dr.  Hartwig  Faber,  CIO 

smart  -  a  brand  of 
DaimlerChrysler 


INFRASTRUCTURE  FOR  THE  ON-DEMAND  ENTERPRISE 

The  astounding  success  of  smart  demanded  timely 
expansion  of  the  auto  manufacturer’s  sales  and  service 
centers.  Over  250  dealers  in  Europe,  representing 
thousands  of  employees,  needed  secure  access  to  several 
mission-critical  applications.  Further  growth  depended 
on  the  rapid  rollout  of  an  innovative,  cost-effective, 
centralized  application  infrastructure  solution.  Naturally, 
smart  called  on  Citrix.  smart,  along  with  99%  of  the 
Fortune  500,  uses  Citrix®  software  to  deploy  applications 
centrally  for  secure,  easy,  and  instant  access  to  business- 
critical  information — anywhere,  anytime,  from  any  device. 
We  call  it  the  on-demand  enterprise.  And  it’s  helping 
more  than  120,000  of  our  customers  save  money  and 
reduce  IT  complexity.  To  learn  what  Citrix  can  do  for 
your  business,  call  888-820-7918  or  visit  www.citrix.com. 


CITRIX 


©2004  Otnx  Systems,  he.  All  nghts  reserved.  Citrix  is  a  registered  trademark  of  Otnx  Systems.  Inc.  r  the  U.S. 
and  other  couitnes  All  other  trademarks  and  registered  trademarks  are  the  property  of  the*  respective  owners. 


*3 


5£TTlNG  New  NETWORK 
^eCURtTV  PRlV((.£G£S 
FOR  860  U$£R5?  THAT'U 
TAK£  PAV$...W££K5... 


These  days,  no  network  is  free  of  threats.  That’s  why  you  have  to  assign  network  security  privileges  to 
everyone.  Employees,  customers,  and  partners.  You  need  to  set  an  acceptable  use  policy  that  dictates 
what  each  of  them  can  and  can’t  access.  Until  now,  you  had  to  do  this  manually. 

Not  anymore.  Now  you  can  do  what  Baylor  University  did.  Implement  an  Enterasys  Secure  Networks™  solution 
with  a  unique,  policy-based  system  that  empowers  the  network  to  allocate  resources  based  on  specific  users 
and  their  roles.  The  network  “sees'*  who  the  user  is  and  assigns  privileges  accordingly.  This  improved  control 
also  gives  you  more  security. 


It's  all  about  giving  you  a  smarter  way  to  network  with  central,  intuitive  management.  Find  out  more  at 
networksthatknow.com/Baylor.  Or  ask  any  one  of  the  many  enterprise  customers  we’ve  worked  with  for  years. 


Howard  Rubin  I  Real  Value 

Practical  Counsel  for  Capturing  IT  Value 


Wheres  the 

Beef? 

The  first  step  to  determining  and  measuring  value  is  to 
create  categories  for  your  company’s  business  goals 
and  then  prioritize  your  IT  initiatives  within  them 

IN  THE  MID-1980S,  a  famous  TV  commercial  ran  with  the  punch  line 
“Where’s  the  beef?  ”  Roughly  at  the  same  time,  surveys  of  the 
nation’s  technology  leaders  found  business  executives  and  CIOs 
both  asking,  “Where’s  the  IT  value?”  Twenty  years  later,  that 
same  question  is  still  being  asked — but  not  for  lack  of  ways  to 
measure  it. 

You  would  expect,  given  the  Balanced  Scorecard,  real 
options  analysis,  business  case  analysis,  portfolio  manage¬ 
ment  and  all  the  other  ways  to  compute  ROI  than  there  are 
lottery  game  choices,  that  IT  value  would  be  well  under¬ 
stood  by  now.  But  that’s  simply  not  the  case.  There  are  as 
many  reasons  for  this  as  there  are  options.  But  one  key  fac¬ 
tor  is  that  most  people  skip  the  important  step  of  defining 
just  what  it  is  they’re  measuring.  Before  you  can  leap  to 
quantifying  value,  therefore,  you  must  first  focus  on  identi¬ 
fying  what  kinds  of  processes  are  of  true  business  value  to 
the  organization.  Just  what  are  the  business  needs  you  are 
seeking  to  support  and  drive?  The  precursor  to  this  value 
quantification  is  value  “categorization.”  Once  you  have  your 
enterprise’s  value  categories  identified,  then  you  have  a  new 


and  powerful  basis  for  describing  where  IT  investments  are 
going  and  measuring  their  true  value  in  terms  your  business 
peers  can  understand. 

Today,  most  CIOs  communicate  IT  value  and  finances  to 
their  internal  business  customers  by  reporting  spending  on 
applications  development,  maintenance  and  infrastructure. 
Instead,  imagine  if  CIOs  reported  on  what  is  spent  on  grow¬ 
ing  revenue,  retaining  customers  and  complying  with  regu¬ 
latory  demands — that’s  what  value  categorization  enables. 
It  increases  transparency  and  provides  a  sound  basis  for 
measurement  because  it  gives  CIOs  the  tools  and  the  terms 
that  the  business  understands.  For  instance,  what  if  the  CIO 
reported  spending  $30  million  on  operating  expenses  for 
maintenance?  That  sounds  bad.  But  if  the  CIO  were  to 
change  the  terminology  by  showing  more  precisely  how  these 


4  4  CIO  APRIL  1,  2004  •  \n\n\n  ,c\o  .com 


ILLUSTRATION  BY  ANTHONY  FREDA 


BY  NOON,  THE  IT  DEPARTMENT  WILL  BE 
ALERTED  TO  750  DIFFERENT  PROBLEMS. 


ONE  OF  THEM  WILL  LOSE  115 
ONLINE  RESERVATIONS  A  MINUTE. 


CAN  YOUR  SOFTWARE  TELL  YOU  WHICH  ONE? 


Business  Service  Management  solutions  from 
BMC  Software®  can.  They  automatically  prioritize 
IT  management  issues  according  to  business 
importance  and  alert  you  before  potential  problems 
can  impact  performance.  They  also  let  you  prioritize 
IT  investments  and  resource  allocations  to  optimize 
your  business  results.  So  you  can  solidly  align  your 
IT  investments  with  strategic  business  goals.  And 


©  2004  BMC  Software  Inc. 


protect  the  delivery  of  vital  business  services  like 
online  transactions,  sales,  customer  service,  logistics 
and  distribution — whatever  is  most  critical  to  your 
company's  success.  It's  enterprise  management 
software  that  works  with  your  existing  IT  resources 
to  let  you  manage  what  matters  from  a  business 
perspective  and  execute  with  precision.  Find  out 
how  at  www.bmc.com/bsm48 

<bmcsoftware 


Howard  Rubin  I  Real  Value 


expenses  are  supporting  the  development  of  new  products, 
then  they  would  be  using  terms  that  the  business  side  can 
actually  understand.  The  “beef”  in  value  categorization  has 
to  do  with  finally  being  able  to  link  IT  to  where  and  how  the 
business  value  of  IT  shows  up.  Those  that  have  taken  this 
approach  are  now  experiencing  tighter  business  to  IT  align¬ 
ment,  more  effective  IT  investment  planning  and  overall  IT 
transparency. 

Linking  IT  to  Business  Goals 

Look  at  any  company’s  annual  report,  and  the  categories  of 
things  that  are  valuable  should  be  clear.  Value  to  a  profit- 
focused  enterprise  comes  from  supporting  revenue  growth, 
protecting  revenue,  cost  reduction,  cost  avoidance,  regulatory 
compliance,  generating  customer  satisfaction  and  loyalty,  and 
perhaps  more. 

Once  you  can  list  the  categories  of  value,  identifying  the 
right  measures  becomes  much  easier.  However,  some  things  a 
company  does  with  IT  do  not  likely  have  a  direct  impact 


Doing  value  categorization  right  means  getting 
back  to  basics  from  a  pure  business  and  non-IT 
vantage  point.  But  that’s  what  IT  investment 
should  be  all  about  anyway. 


right  to  the  top  line  or  bottom  line.  An  investment  doesn’t 
have  to  be  directly  linked  to  profits  to  be  valuable  or  to  even¬ 
tually  be  important  to  the  health  of  the  company.  So  how  do 
you  make  the  connection  from  IT  investment  to  value?  Those 
investments  that  directly  have  an  impact  on  a  company’s 
finances,  its  revenue  or  profitability  are  first-order  invest¬ 
ments.  IT  systems  that  support  the  customer  (service  quality, 
satisfaction),  which  then,  in  turn,  translate  into  financial  per¬ 
formance,  have  a  less  direct  impact  and  are  therefore  second- 
order  effects.  Those  that  affect  business  processes,  which,  in 
turn,  may  have  financial  impacts  and  customer  impacts,  are 
third-order  effects.  And  those  that  affect  the  organization 
itself  and  its  ability  to  grow  and  learn — thereby  influencing 
the  other  three  areas — are  fourth-order  effects.  By  looking  at 
your  investments  and  placing  them  in  one  of  these  value  cat¬ 
egories,  it  becomes  much  easier  to  explain  the  value  of  IT  in 
business  terms. 

But  how  exactly  can  you  determine  just  where  an  IT  system 
should  fall?  As  I’ve  tried  to  show  in  this  column,  the  answer 
depends  on  the  business  and  strategic  planning  your  company’s 


business  leaders  have  already  laid  out.  And  once  again,  one  of 
the  best  ways  to  start  this  process  is  to  read  your  company’s 
annual  report,  which  contains  information  on  your  company’s 
market  strategy  and  what  its  future  goals  are. 

Then,  while  keeping  the  enterprise’s  business  strategy  in 
mind,  answer  the  following  four  questions: 

1.  What  is  the  vision  of  financial  performance?  Typical 
answers  would  be  something  like  “revenue  growth”  or  “higher 
earnings.” 

2.  What  is  being  done  from  a  customer  perspective  strat¬ 
egy?  Typical  answers  are  “better  customer  service,”  “increased 
loyalty  and  retention”  or  “enhanced  customer  experience.” 

3.  What  is  being  done  from  a  process  perspective?  Typi¬ 
cal  answers  are  “reduce  cost,”  “reduce  cycle  time”  or  “to  im¬ 
prove  quality.” 

4.  What  is  being  done  from  an  organizational  and  learning  per¬ 
spective  to  help  drive  the  goals?  Typical  answers  are  “increase 
information-sharing”  or  “improve  employee  satisfaction.” 

Once  you  get  through  this  exercise  you  have  your  value  cat¬ 
egories  identified.  Now  task  your  organization 
with  lining  up  its  portfolio  or  operational  sys¬ 
tems  and  projects  with  them.  Create  a  chart 
showing  spending  by  value  category.  And  in 
this  chart  identify  how  that  investment  helps  to 
generate  value  in  a  way  that  truly  helps  to  pro¬ 
pel  the  business  forward — either  with  some  sort 
of  a  direct  financial  impact,  impact  on  the  cus¬ 
tomer,  impact  on  process  or  impact  on  the 
organization.  And  finally  list  the  measures  that 
show  that  the  desired  goal  is  being  attained. 

A  CIO  at  a  large  multinational  company  I  know  took  these 
basic  steps  five  years  ago.  Today,  it  does  only  value-based 
reporting  of  IT  performance.  Every  technology  expense  is 
related  to  one  category  of  value — revenue  growth,  cost  reduc¬ 
tion,  cost  avoidance,  market  growth  and  regulatory  compli¬ 
ance — and  a  complete  portfolio  profile  of  impacts,  key 
performance  indicators  and  risks  is  maintained.  The  results 
are  extremely  high  business  alignment  of  IT  with  about 
30  percent  less  cost  than  peer  companies,  and  comparably  high 
IT  effectiveness.  If  a  project  doesn’t  fit  into  one  of  the  value  cat¬ 
egories,  it  doesn’t  get  done. 

Doing  value  categorization  right  means  getting  back  to 
basics  from  a  pure  business  and  non-IT  vantage  point.  But 
that’s  what  IT  investment  should  be  all  about  anyway.  It’s 
about  business  results  and  business  value,  and 
not  about  the  technology  by  itself  at  all.  HE! 


Howard  Rubin,  an  expert  on  measuring  value,  is  an 
executive  vice  president  of  Meta  Group  and  can  be 
reached  at  howard.rubin@metagroup.com. 


46  CIO  APRIL  1,  2004  •  www.cio.com 


witch  to  voice  over  IP  without  any  hang-ups 


Voice  over  IP  comes  with  a  lot  of  benefits.  It  also  comes 
with  a  lot  of  questions.  How  long  does  it  take?  Is  voice 
quality  sacrificed?  What  are  the  hidden  costs? 


With  Agilent,  voice  over  IP  is  an  easy  call.  Our  network 
test  and  software  solutions  monitor  performance  and 
troubleshoot  throughout  the  lifecycle.  They  also  help 
determine  the  most  cost-effective  design  to  get  you  up 
and  running.  And  once  you  get  your  network  up,  we'll  also 
help  you  manage  it.  All  this  with  virtually  no  sacrifice 
in  call  quality.  With  Agilent,  the  switch  to  voice  over  IP 
really  pays  off. 


Across  the  field  of  communications,  Agilent  delivers 
a  unique  breadth  of  experience,  from  developing 
components  and  managing  services,  to  testing  the 
infrastructure  that  supports  it  all.  And  we  build  that 
end-to-end  expertise  into  every  product  we  make. 
www.agilent.com/comms/enterprise-it  With  Agilent,  you'll  always  have  a  great  connection. 


Agilent  Technologies 

dreams  made  real 


©  Agilent  Technologies.  Inc  2004 


WBSBm 


I 

f  V;-'  .'v;^ 

If 

■  ■  '  . J>r  -  -  w  -\7 

v ^ ■  ••• 

•  • 

;v V' 

T,  '> 

If 

For  IT  solutions  you  can  count  on,  you  can  count  on  Dell.  From  PowerEdge”  servers  featuring  Intel®  Xeon'M  processors  to  network 
support  products  like  PowerVault”  storage  and  PowerConnect”  switches,  Dell  offers  flexible,  high-performance  industry-standard 
technologies  and  software  solutions  that  are  just  right  for  your  particular  business  needs.  And  we'll  help  you  every  step  along  the  way. 
Whether  it's  planning  and  design,  testing  and  validation,  systems  management,  or  our  award-winning  24x7  service  and  support,  Dell 
will  help  you  create  a  customized  IT  infrastructure  that's  easy  to  choose,  deploy  and  manage.  So  make  life  easy  on  yourself  and  get  a 
big  advantage  over  your  competition  -  with  a  reliable  IT  solution  from  Dell. 


PC  Magazine  2003  Best  of  the  Year 

PowerEdge  1750 
-January  20,  2004 


Call:  M-F7a-8p  Sat  8a-5p,  CT 

Pricing,  specifications,  availability  and  terms  of  offer  may  change  without  notice.  Taxes  and  shipping  charges  extra,  and  vary  and  not  subject  to  discounts.  U.S.  Dell  Small  Business  new  purchases  only.  Dell  cannot  be  held  responsible  for  errors  in  typography  or 
photography  'Service  may  be  provided  by  third  party.  Technician  will  be  dispatched  following  phone-based  troubleshooting.  Subject  to  parts  availability,  geographical  restrictions  and  terms  of  service  contract.  Service  timing  dependent  upon  time  of  day  call 
placed  to  Dell.  U.S.  only  Monthly  payment  based  on  pre-rebate  price  for  48-month  60  Days  Same-as-Cash  OuickLoan  with  46  payments  at  9.99%  interest  rate.  Your  interest  rate  and  monthly  payment  may  be  same  or  higher,  depending  on  your  creditworthiness. 
If  you  do  not  pay  the  balance  within  60  days  of  the  QuickLoan  Commencement  Date  (which  is  five  days  after  product  ships),  interest  will  accrue  during  those  first  60  days  and  a  documentation  fee  may  apply.  OFFER  VARIES  BY  CREDITWORTHINESS  OF 
CUSTOMER  AS  DETERMINED  BY  LENDER  Minimum  transaction  size  of  $500  required.  Maximum  aggregate  financed  amount  for  paperless  acceptance  not  to  exceed  $25,000.  If  your  order  exceeds  $25K,  a  Dell  Financial  Services  rep  will  contact  you  to  process 
your  documentation.  Taxes,  fees  and  shipping  charges  are  extra  and  may  vary  Not  valid  on  past  orders  or  financing.  QuickLoan  arranged  by  CIT  Bank  to  Small  Business  customers  with  approved  credit.  “This  device  has  not  been  approved  by  the  Federal 
Communications  Commission  for  use  in  a  residential  environment.  This  device  is  not,  and  may  not  be,  offered  for  sale  or  lease,  or  sold  or  leased  for  use  in  a  residential  environment  until  the  approval  of  the  FCC  has  been  obtained.  “This  term  indicates  compliance 


File&Print  Servers 

starting  at  $399 


Affordable  servers  that  make 
managing  your  network  easy. 


Services 


POWEREDGE  ™  400SC  SERVER  POWEREDGE  “65032  RACK  SERVER 


Small  Business  Value  Server 

•  Intel*  Pentium*  4  Processor  at  2.40GHz 

•  Upgradable  to  Intel’  Pentium*  4  Processor  at  3.20GHz 
with  800MHz  Front  Side  Bus 

•  256MB  400MHz  ECC  DDR  SDRAM  (Up  to  4GB) 

•  40GB  (7200  RPM)  IDE  Hard  Drive 

•  Upgradable  to  240GB  of  Internal  Hard  Drive  Storage 

•  Embedded  Intel*  PRO  Gigabit50  NIC 

•  1-Yr  24x7  Dedicated  Server  Phone  Tech  Support 

•  1-Yr  Next  Business  Day  On-Site  Service3 

•  Small  Business  Pricing 

as  low  as  $  19/mo.,  (46  pmts.*) 

E-VALUE  Code:  20669- S20306g 


Multi-Use  Tower  Server 

•  Intel®  Xeon"  Processor  at  2.40GHz 

•  Dual  Intel®  Xeon”  Processor  Capable  (Up  to  3.20GHz) 

•  512MB  266MHz  ECC  DDR  SDRAM 

•  Upgradable  to  12GB  of  ECC  DDR  SDRAM 

•  Dual  18GB  (15K  RPM)  Ultra320  SCSI  Hot-Swap  Hard  Drives 

•  RAID  1  Included 

•  Active  ID  Bezel  for  Monitoring  System  Health 

•  3-Yr  Next  Business  Day  On-Site  Service3 

•  Small  Business  Pricing 

O  A  as  low  as  $63/mo„  (46  pmts*) 

ft  iU  ITT  E-VALUE  Code: 20669-S20323g 


1U  Value  Rack  Server 

•  Intel'  Pentium'  4  Processor  at  2.60GHz 

•  Upgradable  to  Intel®  Pentium*  4  Processor  at  3.06GHz 

•  512MB  266MHz  ECC  DDR  SDRAM 

•  Upgradable  to  4GB  of  ECC  DDR  SDRAM 

•  40GB  (7200  RPM)  IDE  Hard  Drive 

•  Upgradable  to  240GB  of  Internal  Hard  Drive  Storage 

•  ATA100  IDE  RAID  Controller  Available 

•  Intel®  PRO  Gigabit50  NIC 

•  3-Yr  Next  Business  Day  On-Site  Service3 

•  Small  Business  Pricing 

as  low  as  $37/mo„  (46  pruts*1) 

^  |,jQ^f  E-VALUE  Code:  20669- S20313g 


Feature-Rich  1U  Rack  Server 

•  Intel®  Xeon”  Processor  at  2.40GHz 

•  Dual  Intel®  Xeon”  Processor  Capable  (Up  to  3.20GHz) 

•  1GB  266MHz  ECC  DDR  SDRAM 

•  Upgradable  to  8GB  of  ECC  DDR  SDRAM 

•  3x1 8GB  (15K  RPM)  Ultra320  SCSI  Hot-Swap  Hard  Drives 

•  RAID  5  Included 

•  Active  ID  Front  Bezel  for  Monitoring  System  Health 

•  3-Yr  Next  Business  Day  On-Site  Service3 

•  Small  Business  Pricing 

as  low  as  $73/mo.,  (46  pints?) 

E-VALUE  Code:  20669- S20326g 


Purchase 


Deli  offers  a  wide  range  of  reliable,  award-winning 
technology,  all  delivered  from  a  single  point  of  contact  - 
and  our  expert  sales  associates  are  there  to  help  you  find 
the  technology  that’s  right  for  your  business. 


Installation-Starting  at  $279 


Once  you've  selected  the  right  technology,  Dell  can  help 
you  get  it  up  and  running  quickly  and  cost-effectively 
with  our  custom  on-site  installation  and  configuration 
services. 


Training8<Certification— Starting  at  $i00/person 


After  installation,  Dell  can  help  turn  your  employees  or  IT 
staff  into  experts  on  your  new  technology  through  a 
variety  of  training  and  certification  courses  -  helping 
increase  your  business'  long-term  productivity. 


Service&Support 


The  support  doesn't  end  at  the  sale.  Dell's  award¬ 
winning  service  and  support  offerings  help  ensure  that 
your  new  network  remains  up  and  running  -  with  Web, 
phone  or  on-site  service3  and  support. 


Database&Web  Hosting  Servers  Flexible  server  solutions  to 

starting  at  $1699  manage  diverse  networks. 

■  .  E  ■  2500  TOWER  S  E  R  V  f  PO  WEREDt^  7  5  CP  RACK  SERVER 


4-Way  Servers 

Build  a  powerful,  protected  network. 

Network  Storage  Options 

Network  Switches 
starting  at  $79 

POWEREDGE™  660032  TOWER  SERVER 

POWERVAULT™  725N  NAS 

j  | 

POWERCONNECT™  332432  SWITCH 

High-Speed  Mission  Critical  Tower  Server 

•  Intel®  Xeon”  Processor  at  1 ,50GHz 

•  Quad  Intel®  Xeon”  Processor  Capable  (Up  to  2.80GHz) 

•  512MB  ECC  DDR  SDRAM 

•  Up  to  32GB  266MHz  ECC  DDR  SDRAM 

•  Up  to  1752GB  Maximum  Internal  HDD  Storage 

•  Embedded  Ultra  SCSI  Adaptec®  (160MB/s)  Controller 

•  Standard  Hot-Swap  Hard  Drives,  Hot-Swap  Redundant  Fans  and 
Hot-Swap  Redundant  Power  Supplies 

•  10  Hot-Plug  PCI-X  Slots 

•  3-Yr  Next  Business  Day  On-Site  Service3 

starting  at 

as  low  as  $107/mo„  (46  pmts30) 


Optimized  File  Storage  Across  the  LAN 

•  Intel®  Celeron®  Processor  at  2GHz 

•  Microsoft*1  Windows*  Powered  Network  Attached  Storage 

•  384MB  DDR  SDRAM  (Up  to  3GB) 

•  4x40GB  (160GB)  IDE  Hard  Drives 

•  Up  to  1  Terabyte  of  Internal  Storage  Capacity 

as  low  as  $49/mo„  (46  pmts?0) 

V  §  /  rjrf  E-VALUE  Code:  20669-S20317g 


DELL/EMC 


If  you  have  more  than  300GB  of  storage,  visit 

www.dell.com/storage4mybiz  for  low  prices  on 
Dell/EMC  storage  arrays. 


High-Performance  Workgroup  Switch 

•  24  Fast  Ethernet  Ports  plus  2  Gigabit  Uplinks  (2  Copper  and  2 
SFP  Transceiver  Combo  Slots  for  Fiber) 

•  Stacking  Functionality  of  Up  to  192  Ports 

•  Advanced  Network  Management  and  Security  Features 

•  Industry  Standard  CLI  and  Easy-to-Use  Web  Interface 

•  3-Yr  Next  Business  Day  Advanced  Exchange 
Service52  Standard 

£  /I  C1Q  as  l°w  as  (46  pmts*) 

“T ZJ  E-VALUE  Code:  20669-S10304 


Solutions  that  fit. 


Easy  as 


D*LL 


Click  www.dell.com/bizsolutions  Call  1-866-306-3355 

toll  free 


with  IEEE  standard  802  3ab  for  Gigabit  Ethernet,  and  does  not  connote  actual  operating  speed  of  IGB/sec.  For  high-speed  transmission,  connection  to  a  Gigabit  Ethernet  server  and  network  infrastructure  is  required  '''Technician, 
replacement  part  or  unit  (depending  on  service  contract)  will  be  dispatched,  if  necessary,  following  phone-based  troubleshooting  in  advance  of  receipt  of  returned  defective  unit.  Service  may  be  provided  by  third-party  provider 
Subject  to  parts  availability,  geographical  restrictions  and  terms  of  service  contract.  Service  timing  dependent  upon  time  of  day  call  placed  to  Dell.  Defective  unit  must  be  returned.  Replacements  may  be  refurbished.  U  S.  only. 
Dell,  the  stylized  E  logo.  E-Value,  PowerEdge.  PowerConnect  and  PowerVault  are  trademarks  of  Dell  Inc.  Intel,  Intel  Inside,  the  Intel  Inside  logo,  Intel  Xeon.  the  Intel  Xeon  logo,  Pentium  and  Celeron  are  trademarks  or  registered 
trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  ©2004  Dell  Inc.  All  rights  reserved. 


Online  For 
Latest  Prices 
and  Weekly 
l  Promotions  ) 


FOR  THE  IRS  THERE’S 


The  internal  revenue  service’s 
Master  File  is  an  accident  wait¬ 
ing  to  happen.  A  legacy  of  the 
Kennedy  administration,  this 
database  stores  the  taxpaying 
histories  of  227  million  individuals  and  cor¬ 
porations,  including  every  transaction  be¬ 
tween  taxpayers  and  the  IRS  for  the  past  40 
years.  The  Master  File  is  used  to  determine  if 
you’ve  paid  what  you  owe,  and  without  it  the 
government  would  have  no  way  to  flag 
returns  for  audits,  pursue  tax  evaders  or  even 
know  how  much  money  is  or  should  be  flow¬ 
ing  into  its  coffers. 

Yet  the  system  still  runs  code  from  1962, 
written  in  an  archaic  programming  language 
almost  no  one  alive  understands.  Every  year, 
programmers,  some  who  have  worked  at  the 
IRS  for  decades,  add  new  code  to  the  Master 
File  to  reflect  new  rules  passed  by  Congress. 
As  a  result,  the  system  has  become  a  high-tech 
Rube  Goldberg  machine.  Those  familiar  with 
the  Master  File  say  it  is  poised  for  a  fatal  crash 
that  would  shut  the  government  down. 

Congress  and  the  IRS  had  hoped  that  by  this 
tax  season,  this  fragile  system  would  be  partially 
replaced  by  a  centralized  database  that  could 
provide  both  IRS  agents  and  individual  tax¬ 
payers  with  daily  updates  of  taxpayer  accounts, 
just  as  credit  card  companies  and  banks  do, 
enabling  speedier  refunds  and  more  timely 
customer  service.  This  new  Customer  Account 
Data  Engine,  or  CADE,  is  part  of  a  massive 
$8  billion  modernization  program  launched 
by  the  IRS  in  1 999  to  upgrade  its  IT  infrastruc¬ 
ture  and  more  than  100  business  applications. 

But  the  program,  called  Business  Systems 
Modernization,  has  stumbled  badly,  running 
into  serious  delays  and  substantial  cost  over¬ 
runs.  The  first  of  multiple  software  releases 
planned  for  the  new  database  (which  would 
enable  faster  processing  of  returns  and  faster 


Reader  ROI 

►  Why  business  unit  accountability  is  critical  to 
any  large,  complex  project 

►  The  costs  of  ever-changing  project  leadership 

►  Lessons  from  the  IRS’s  cascading  failures 


By  assembling  a  star-studded  team  of 
vendors,  the  IRS  thought  its  $8  billion 
modernization  project  would  manage 
itself.  The  IRS  thought  wrong.  Now 


the  agency’s  ability  to  collect  revenue, 
conduct  audits  and  go  aftertax  evaders 
has  been  severely  compromised. 


PHOTO  BY  RON  HOLTZ 


Cover  Story  Project  Management 


W.  TODD  GRAMS,  Who 
was  appointed  CIO  of 
the  IRS  last  year— the 
fourth  in  seven  years 
—has  had  his  hands 
full  trying  to  move 
the  modernization 
project  back  on  track. 


Cover  Story  |  Project  Management 


refunds  for  6  million  out  of  the  21.5  million 
people  who  file  the  1040EZ  form)  is  nearly 
three  years  late  and  $36.8  million  over  budget. 
Eight  other  major  projects  have  missed  deploy¬ 
ment  deadlines  by  at  least  three  months,  and 
costs  have  ballooned  by  more  than  $200  mil¬ 
lion,  according  to  the  U.S.  General  Account¬ 
ing  Office  and  the  congressionally  chartered 
IRS  Oversight  Board,  an  independent  panel  of 
tax  industry  and  technology  experts  who 
advise  the  IRS  and  Congress. 

Those  familiar  with  the  program  say  the 
fault  lies  largely  with  the  IRS’s  entrenched 
bureaucracy.  The  agency  did  not  follow  its 
own  procedures  for  developing  the  new  sys¬ 
tems  and  failed  to  give  consistent  direction  and 
oversight  to  Computer  Sciences  Corp.  (CSC), 
the  vendor  it  hired  to  do  the  work.  Longtime 
managers  resistant  to  change  undercut  CSC 
and  the  private-sector  IT  executives  who  were 
hired  to  oversee  the  program,  according  to 
Mark  Forman,  who,  as  associate  director  for 
IT  and  e-government  at  the  Office  of  Man¬ 
agement  and  Budget,  oversaw  the  govern¬ 
ment’s  major  IT  initiatives  from  June  2001 
until  last  summer.  Three  CIOs  have  come  and 
gone  in  the  seven  years  since  planning  began 
for  Business  Systems  Modernization. 

For  their  part,  IRS  executives,  as  well  as  the 


More  than  once,  the  IRS  considered  firing 
CSC.  Each  time,  officials  decided  against  it, 
although  in  February,  IRS  Commissioner 
Mark  Everson  barred  CSC  from  taking  on 
any  new  projects  unless  it  meets  deadlines  for 
delivering  work  in  progress.  Charles  Rossotti, 
who  was  IRS  commissioner  from  the  launch 
of  the  program  until  the  end  of 2002,  now  says 
it  was  a  mistake  to  think  that  CSC,  or  any  ven¬ 
dor  for  that  matter,  could  manage  such  a  huge 
undertaking  without  heavy  input  from  the 
IRS.  “We  really  thought  we  were  going  to 
have  a  very,  very  thin  IRS  team  managing 
this,”  recalls  Rossotti,  who  is  now  a  senior 
adviser  to  The  Carlyle  Group. 

Indeed,  Business  Systems  Modernization 
provides  a  case  study  for  almost  everything  that 
can  go  wrong  managing  a  large,  complex  IT 
portfolio.  At  stake  in  this  bungled  implemen¬ 
tation  is  the  IRS’s  very  ability  to  conduct  timely 
audits  and  go  after  tax  evaders,  not  to  mention 
its  long-term  goal  of  delivering  customer  serv¬ 
ice  on  par  with  private-sector  financial  institu¬ 
tions.  If  the  Master  File  crashes,  the  government 
would  not  be  able  to  collect  its  $2  trillion  in  rev¬ 
enue  or  pay  for  anything,  whether  it’s  Social 
Security  benefits  or  the  bill  for  new  weapons 
systems.  Meanwhile,  the  cost  of  collecting  $  1  of 
revenue — 45  cents  in  2002,  the  last  year  for 


kibosh  on  a  project  to  replace  the  aging  Mas¬ 
ter  File  when  an  external  review  questioned 
whether  the  agency  could  adequately  protect 
taxpayer  privacy.  Almost  two  decades  later,  in 
1995,  Congress  pulled  the  plug  on  a  second 
modernization  program  after  the  IRS  spent 
1 0  years  and  $2  billion  with  little  to  show  for  it. 

At  that  time,  it  was  clear  to  the  IRS’s  con¬ 
gressional  overseers  what  had  gone  wrong. 
Projects  didn’t  have  business  sponsors.  Con¬ 
tracts  with  vendors  didn’t  have  clear  deliver¬ 
ables.  And  no  one,  either  within  the  IRS  or 
among  its  dozens  of  contractors,  was  held 
accountable  for  results.  (For  more  about  past 
IRS  project  management  problems  and 
the  early  stages  of  Business  Systems  Modern¬ 
ization,  see  “The  Taxman’s  Burden”  at 
www.cio.  com/printlinks.) 

To  prevent  those  problems  from  recurring, 
the  IRS  and  Congress  tried  to  apply  textbook 
IT  management  wisdom.  In  1996,  the  IRS 
hired  a  new  CIO,  Arthur  Gross,  who  had 
directed  the  modernization  of  New  York 
state’s  tax  systems,  to  craft  a  strategy  for 
updating  the  agency’s  IT  infrastructure  and 
systems.  A  year  later,  President  Clinton 
appointed  IRS  Commissioner  Rossotti,  an 
entrepreneur  whose  company,  American 
Management  Systems,  developed  accounting 


THERE  WAS  A  TREMENDOUS  fear  about  delivering  bad  news  on  the  part  of 
the  vendor  and  the  IRS.  They  were  afraid  they  were  going  to  lose  their  jobs, 

that  Congress  was  going  to  stop  the  funding.  -JOHN  REECE,  FORMER  IRS  CIO 


IRS  Oversight  Board,  say  CSC  was  over¬ 
whelmed  and  underqualified.  They  complain 
that  CSC  didn’t  fully  understand  the  tax  col¬ 
lection  business  or  grasp  the  complexity  of  the 
assignment,  an  assessment  the  company  does 
not  dispute.  “I  have  never  encountered  a  pro¬ 
gram  of  the  size  and  complexity  as  the  Business 
Systems  Modernization  program  at  the  IRS,” 
Paul  Cofoni,  president  of  CSC’s  Federal  Sector 
business,  told  the  U.S.  House  Ways  and  Means 
Oversight  Subcommittee  at  a  recent  hearmg. 


which  statistics  are  available — has  not  appre¬ 
ciably  declined  in  two  decades.  Modernization 
“is  crucial  to  delivering  better  service  to  tax¬ 
payers  and  increasing  the  agency’s  efficiency 
and  productivity,”  said  Larry  Levitan,  a  mem¬ 
ber  (and  former  chairman)  of  the  IRS  Oversight 
Board,  at  the  House  Ways  and  Means  hearing. 

A  LEGACY  OF  FAILURE 

THE  IRS  HAS  TWICE  BEFORE  FAILED  TO  MODERN- 
ize.  In  the  late  1970s,  President  Carter  put  the 


systems  for  financial  services  and  government 
clients.  As  the  first  IRS  commissioner  who  was 
a  businessman — not  a  tax  expert — Rossotti 
was  selected  to  champion  change. 

With  Congress’s  blessing,  the  agency  made 
plans  to  outsource  Business  Systems  Modern¬ 
ization  to  a  prime  contractor.  The  contractor 
would  bear  the  burden  of  program  man¬ 
agement  and  systems  integration.  The  vendor 
was  supposed  to  be  a  “thought  leader,”  bring¬ 
ing  ill  fresh  ideas  for  how  IT  could  transform. 


52  CIO  APRIL  1,  2004  •  www.cio. com 


PHOTO  BY  CHRIS  HARTLOVE 


the  agency’s  business  processes. 

Around  the  same  time,  Congress  passed  a 
law  reforming  IRS  management  and  raising 
salaries  for  key  managers,  including  the  CIO, 
to  attract  talent  from  the  private  sector.  The 
IRS  Reform  and  Restructuring  Act  also  man¬ 
dated  a  reorganization  of  the  IRS  bureaucracy 
from  a  set  of  geographically  based  fiefdoms 
to  a  structure  organized  by  business  function. 
For  instance,  the  Wage  and  Investment  Divi¬ 
sion  is  responsible  for  dealing  with  individual 
taxpayers  and  their  returns,  while  other  divi¬ 
sions  serve  different  types  of  businesses. 

As  part  of  this  realignment,  Rossotti  put  the 
CIO  in  charge  of  the  entire  IS  budget  and  staff, 
large  portions  of  which  had  been  dispersed 
among  the  old  geographic  units.  The  mod- 
ermzauon  team  morphed  into  anew  Business 


Systems  Modernization  Office,  or  BSMO 
(pronounced  “Bizmo”),  reportingto  Rossotti 
and  the  CIO.  When  Gross  quit  a  few  months 
into  Rossotti’s  tenure  (the  two  didn’t  get 
along),  Rossotti  hired  Paul  Cosgrave,  a  con¬ 
sultant  with  more  than  two  decades  of  private- 
sector  experience.  By  the  end  of  1 998,  the  IRS 
had  chosen  CSC  over  Lockheed  Martin  to 
lead  a  team  of  elite  vendors,  including  IBM, 
Lucent,  Northrop  Grumman,  Science  Appli¬ 
cations  International  and  Unisys.  Rossotti 
wanted  a  roster  of  heavy  hitters  with  large 
project  experience.  The  team  CSC  put 
together  (called  Prime)  had  a  long  history  of 
working  with  the  IRS  on  its  legacy  systems. 

The  IRS  and  CSC  would  spend  most  of  the 
next  year  planning.  Even  today,  some  of  these 
early  steps  are  praised  by  the  program’s  critics. 


JOHN  REECE,  who  became  CIO  in  2001 
and  left  two  years  later,  was  caught 
between  a  lame-duck  IRS  commissioner 
and  a  bureaucracy  resistant  to  change. 


“They  had  a  good  plan  and  a  good  strategy, 
and  I  think  they  still  do,”  says  former  IRS 
Oversight  Board  Chairman  Levitan.  “The 
problem  was  they  didn’t  execute  it.” 

In  fact,  the  threads  that  held  Business  Sys¬ 
tems  Modernization  together  began  to 
unravel  almost  immediately. 

THE  ENEMY  WITHIN 

DESPITE  THE  FACT  THAT  THE  IRS  AND  CSC  HAD 
agreed  that  CSC  would  make  most  project- 
related  decisions,  midlevel  IRS  managers 
never  bought  into  the  concept.  They  were  used 
to  doing  things  themselves,  their  way. 

Within  the  agency’s  IS  department,  resent¬ 
ment  seethed  between  what  one  CIO  called  the 
“fair-haired  folk”  who  worked  on  moderniza¬ 
tion  and  the  rest  of  the  8,500-strong  technol¬ 
ogy  workforce  that  kept  the  existing  systems 
running.  Despite  the  fact  that  the  modernized 
systems  would  eventually  replace  the  legacy 
applications  and  infrastructure,  managers 
operating  those  systems  were  frequently  left 
out  of  the  loop  when  the  new  systems  were 
being  discussed.  The  thinly  staffed  Bizmo  either 
didn’t  have  the  time,  or  didn’t  make  the  time, 
to  educate  their  peers.  Nor,  in  the  IRS’s  view, 
did  CSC  make  much  effort  to  reach  out  to  those 
legacy  managers.  As  a  result,  designs  for  new 
systems  often  lacked  important  requirements, 
and  this  empowered  the  managers  of  the  legacy 
systems  to  push  for  customizations  that  did  not 
conform  to  new  enterprise  standards. 

In  fact,  no  one,  not  even  the  CIO,  had 
enough  stature  within  the  agency  to  champion 
the  business  process  changes  that  moderniza¬ 
tion  required.  Business  managers  were  involved 
in  approving  plans,  making  deployment  deci¬ 
sions  and  resolving  problems,  but  only  as  mem¬ 
bers  of  large  committees — not  as  accountable 
individuals.  Scoping  out  requirements  and  get¬ 
ting  the  projects  done  was  considered  IS’s 
responsibility,  and  business  unit  leaders  were 
not  held  accountable  for  ensurmg  that  new 


www.cio.com  •  APRIL  1.  2004  CIO  53 


Cover  Story  |  Project  Management 


5  Lessons  Learned  from  the  IRS’s 
Modernization  Follies 


C^-]  FIND  MULTIPLE  CHAMPIONS.  As  the  chief  executive,  IRS  Commissioner 
Charles  Rossotti  was  an  important  advocate  for  change,  but  his  efforts  failed 
to  percolate  down  to  the  rank  and  file.  Critics  say  the  agency  didn’t  have 
enough  of  its  managers  engaged  in  its  modernization  project  early  on.  This 
created  a  disconnect  between  the  people  designing  the  new  system  and  the 
people  who  would  ultimately  use  it. 

DON’T  EMBARK  ON  PROJECTS  WITHOUT  THE  PEOPLE  TO  RUN  THEM.  The 

IRS  allowed  projects  to  move  ahead  even  though  it  didn't  have  enough 
]  qualified  people  to  manage  them.  Inexperienced,  overwhelmed  project  man¬ 
agers  made  bad  decisions  and  failed  to  notice  problems  until  they  became  acute. 
Now  the  agency  is  reducing  its  project  portfolio  to  better  match  its  management 
capability. 

DISTRIBUTE  ACCOUNTABILITY  BEYOND  I.S.  The  IRS  did  not  hold  business 
leaders  accountable  for  the  projects  that  affected  their  domain,  and  deci¬ 
sions  often  emerged  from  huge  committees.  As  a  result,  the  agency  ended 
up  giving  conflicting  instructions  to  its  own  staff  and  to  its  vendors,  which  con¬ 
tributed  to  delays  and  cost  overruns. 

FOLLOW  YOUR  OWN  PROCEDURES.  Although  the  IRS  and  its  contractor, 
Computer  Sciences  Corp.  (CSC),  established  procedures  for  its  moderniza¬ 
tion  projects,  they  weren’t  always  followed.  Either  managers  didn’t  under¬ 
stand  them  or  thought  it  expedient  to  ignore  them.  The  IRS  paid  for  these  lapses 
when  it  had  to  fix  the  problems  that  cropped  up  as  a  result. 

DON’T  LET  PROBLEMS  FESTER.  It  was  clear  early  on  that  the  original  con¬ 
cept  of  completely  outsourcing  systems  development  to  CSC  wasn’t  work¬ 
ing,  but  the  IRS  didn’t  put  on  the  brakes  until  its  vendor  missed  a  major 
deadline  and  millions  of  dollars  had  been  spent.  -E.V. 


systems  were  delivered.  “That  was  probably 
the  single  biggest  issue,”  says  Levitan. 

When  Cosgrave  resigned  as  CIO  early  in 
2001  (ostensibly  because  of  the  financial 
restrictions  of  being  a  public  official),  John 
Reece,  who  had  recently  retired  as  CIO  of 
Time  Warner,  was  offered  the  job.  He  says  he 
was  so  disturbed  during  his  interviews  by  “the 
body  language  and  the  comments  people 
made”  about  Bizmo  and  IS  operations  that  he 
told  Rossotti  over  dinner  that  he  had  to  have 
control  over  both  modernization  and  opera¬ 
tions  to  bring  them  together.  Rossotti  agreed. 

FIXING  TOO  LITTLE,  TOO  LATE 

REECE  WAS  NO  STRANGER  TO  BIG  PROJECTS, 
bureaucratic  foot-dragging  or  the  need  to  ride 
herd  on  vendors.  At  Time  Warner,  he  had 
overseen  the  installation  of  numerous  enter¬ 
prisewide  systems.  A  large  part  of  that  was 
corralling  diverse  business  divisions  that 
“were  almost  at  war  with  each  other.” 

But  soon  after  Reece  sat  down  at  his 
government-issued  desk  in  March  2001,  he 
realized  that  the  problems  facing  Business 
Systems  Modernization  were  bigger  than  he 
had  thought.  Of  the  first  set  of  projects  that 
were  scheduled  for  deployment,  most  were 
late  and  over  budget.  A  system  for  routing 
taxpayer  inquiries  to  the  IRS  call  center  was 
fielded  only  after  after  several  sleepless  days  of 
testing  and  frantic  calls  to  suppliers  for  help 
tuning  equipment.  Two  other  projects — an 
application  to  make  audits  more  efficient  and 
online  services  for  tax  preparers — suffered 
from  scope  creep.  The  Customer  Account 
Data  Engine,  scheduled  to  launch  in  May 
2002,  was  also  about  to  derail. 

Neither  Bizmo  nor  CSC  had  developed  a 
full  set  of  procedures  to  follow.  Nor  were  they 
following  the  procedures  they  had  established. 
As  the  treasury  inspector  general  for  tax 
administration  would  later  report,  among 
CSC’s  lapses  was  its  failure  to  properly  meas¬ 
ure  project  costs,  adequately  define  require¬ 
ments  and  fully  assess  project  risks.  “The 
estimates  that  were  done  early  on  were  built 
on  such  fragile  knowledge  that  they  were  use¬ 
less,”  says  Reece.  He  was  incensed,  and  he  let 
CSC  know  it.  He  even  broached  die  idea  of  fit 


ing  CSC,  but  became  convinced  it  wouldn’t  be 
practical.  For  one  thing,  no  one  was  ready  to 
declare  the  effort  a  failure.  The  issue  became 
“how  to  fix  Prime’s  warts  and  turn  them  into 
the  Prince  Charming  we  need  them  to  be,”  says 
Reece.  The  IRS  had  already  forced  out  one 
general  manager  that  CSC  had  put  in  charge 
of  Prime.  Reece  would  go  through  two  more. 

Vendor  executives  involved  with  Prime 
concede  that  the  team  needed  more  experi¬ 
enced  managers  with  deeper  understanding 
of  the  tax  administration  business.  But  the  IRS 
wasn’t  doing  its  job  either.  According  to  the 
inspector  general,  Bizmo  had  allowed  the 
audit  application  to  go  forward  without  hav¬ 


ing  CSC  define  its  security  requirements  and 
without  resolving  whether  it  would  be  inte¬ 
grated  with  other  IRS  applications.  Officials 
added  last-minute  requirements  to  the  online 
services  project.  And  in  the  rush  to  deploy  the 
call  center  application,  the  IRS  gave  the  green 
light  without  proof  it  had  passed  testing. 

There  were  other  hassles.  According  to 
Reece  and  industry  sources,  it  took  weeks  to 
get  approval  for  something  as  simple  as  pur¬ 
chasing  equipment.  As  the  delays  mounted, 
so  did  the  costs. 

Even  before  Reece  came  aboard,  it  was  clear 
that  the  IRS  needed  a  bigger,  more  experienced 
staff  to  oversee  Prime  and  make  sure  it  was 


54  CIO  APRIL  1.  2004  •  www.cio.com 


following  procedures.  Levitan  wanted  to  hire 
more  outsiders  who  had  done  large,  compli¬ 
cated  projects.  But  Reece  faced  internal  grum¬ 
bling  over  the  higher  salaries  set  aside  for 
outside  hires.  He  took  the  expedient  route  and 
filled  some  of  the  positions  with  insiders  who 
could  start  the  job  right  away,  even  though  they 
didn’t  have  all  the  qualifications  he  was  look¬ 
ing  for.  In  hindsight,  says  W.  Todd  Grams,  who 
was  the  CFO  at  the  time  and  would  eventu¬ 
ally  replace  Reece  as  CIO,  the  agency  made  a 
mistake  in  thinking  that  its  “superstars”  from 
operations  could  be  successful  without  addi¬ 
tional  help  from  outsiders. 

THE  WHITE  FLAG  FLIES 

BY  THE  BEGINNING  OF  2002,  IT  BECAME  CLEAR 
that  CSC  and  its  subcontractor,  IBM,  would 
not  be  able  to  deliver  the  Customer  Account 
Data  Engine  on  time.  A  few  months  before  the 
software  was  due,  CSC’s  program  manager 
delivered  a  progress  report  indicating  that 
CADE  would  not  be  delivered  on  time,  a  report 
that  “Fred  [Forman,  the  Bizmo  manager]  and  I 
sort  of  threw  up  all  over,”  Reece  recalls. 

The  missed  deadline  came  as  a  shock  to 
Reece,  who  hadn’t  known  the  extent  to  which 
the  project  was  in  trouble.  “There  was  a 
tremendous  fear  in  the  organization”  about 
delivering  bad  news  on  the  part  of  both  Prime 
and  the  IRS,  he  says  now.  “They  were  afraid 
they  were  going  to  lose  their  jobs,  that  Con¬ 
gress  is  going  to  stop  the  funding”  because  of 
past  failures.  At  a  tense  “come  to  God”  meet¬ 
ing  in  February  2002  that  Reece,  Forman, 
Rossotti  and  Levitan  held  with  CSC  CEO  Van 
Honeycutt  and  the  company’s  COO,  “we 
said,  Either  you  guys  shape  up  or  ship  out,” 


Five  ONGOING  IRS  Modernization  Projects 


Project 

Status 

Past  Due  Date 

Cost  Overrun  to  Date 

E-SERVICES 

Online  services  for 
tax  preparers 

Under  deployment 
in  phases  this  year. 

Two  years 

$86  million 

CUSTOMER 
ACCOUNT  DATA 
ENGINE  (CADE) 

Faster  processing 
of  tax  returns 

First  of  multiple 
releases  scheduled 
for  deployment  this 
August. 

Three  years 

$36.8  million 

INTEGRATED 

FINANCIAL 

SYSTEM 

Accounting  system 
for  IRS  internal 
operations 

Deployment  slated 
for  October. 

One  year 

$50  million 

MODERNIZED 

E-FILE 

Online  filing  of  tax 
returns 

Scheduled  for 
deployment  this 
spring. 

Four  months 

$17.1  million 

CUSTODIAL 

ACCOUNTING 

PROJECT 

Accounting  system 
for  tax  revenue 

First  phase  sched¬ 
uled  to  be  deployed 
in  August. 

20  months 

$59.5  million 

SOURCES  The  IRS.  IRS  Oversight  Board  and  General  Accounting  Office 


Reece  recalls.  The  IRS  capped  the  cost  of  the 
project  at  $97  million — the  latest  budget  esti¬ 
mate — so  that  any  new  delays  would  occur 
on  the  vendors’  dime. 

The  source  of  the  trouble  was  that  CSC  and 
IBM  had  let  slide  a  critical  and  complicated 
piece  of  middleware,  called  “  balance,  control 
and  reconciliation,”  that  was  needed  to  ensure 
that  the  data  processed  by  CADE  was 
updated  in  the  Master  File,  which  contains 


PEOPLE  ASK,  Is  modernization  going  to 
fail?  I  say  we  can’t  let  it  fail.  This  program 
must  succeed  for  the  welfare  of 
the  entire  federal  government. 


-LARRY  LEVITAN,  FORMER  CHAIRMAN  OF  THE  IRS  OVERSIGHT  BOARD 


taxpayers’  complete  account  records.  “They 
had  identified  the  need  to  do  the  code  but 
hadn’t  immediately  committed  a  staff  to  do 
it,”  Reece  says. 

Though  the  IRS  faults  its  vendors  for  the 
screwup,  the  agency  also  contributed  to  the 
mess.  A  report  on  the  project  by  the  inspector 
general  found  that  IRS  executives  approved 
CADE  for  development  even  though  CSC  had 
not  completed  its  design  work  on  the  balance, 
control  and  reconciliation  code.  Meanwhile, 
both  the  agency  and  CSC  neglected  to  get 
input  from  the  staff  that  runs  the  Master  File 
at  the  IRS  data  center  in  Martinsburg, 
W.Va. — who  would  ultimately  run  CADE — 
about  how  to  integrate  the  two  systems.  When 
the  Martinsburg  staff  members  finally  did 
weigh  in,  the  information  they  gave  CSC  con¬ 
flicted  with  the  information  CSC  had  from 
Bizmo.  Rather  than  working  out  the  differ¬ 
ences,  CSC  ignored  both  groups  and  came  up 
with  its  own  solution  altogether. 


www. cio.com 


APRIL  1,  2004  CIO 


5  5 


Five  COMPLETED  IRS  Modernization  Projects 

Project 

Status 

Cost  Overrun 

SECURITY  AND  TECHNOLOGY 
INFRASTRUCTURE  RELEASE  1 

IT  infrastructure 

Five  months  late 

$7.6  million 

CUSTOMER  COMMUNICATIONS  2001 

New  call  center  system 

Nine  months  late 

$5.3  million 

CUSTOMER  RELATIONSHIP 
MANAGEMENT  EXAM 

Auditing  tools  for  examiners 

Three  months  late 

None  ($1.9  million 
under  budget) 

HUMAN  RESOURCES  CONNECT 

Internal  HR  applications 

On  time 

$200,000 

INTERNET  REFUND  FACT  OF  FILING 

Online  self-service  for  taxpayers  to 
check  status  of  refunds 

14  months  late 

$12.9  million 

SOURCE:  General  Accounting  Office 


Cover  Story  j  Project  Management 

By  early  2003,  Reece  had  had  enough. 
Rossotti,  whose  five-year  term  expired  in 
November  2002,  had  been  a  lame  duck  for 
months.  Without  Rossotti  to  back  him  up, 
Reece  was  “a  typical  CIO  caught  in  the  mid¬ 
dle,”  observes  Mark  Forman,  the  former 
OMB  official.  “[Reece]  tried,”  says  an  indus¬ 
try  executive  familiar  with  the  situation.  “It’s 
tough  for  an  outsider  to  come  in  to  the  IRS.” 

Reece  says  he  decided  that  the  new  com¬ 
missioner  coming  on  board  should  have  “a 
steady,  permanent  hand  to  take  [moderniza¬ 
tion]  the  rest  of  the  course. 

“I’ve  spent  43  years  of  my  life  running  proj¬ 
ects,  and  I’m  very  good  at  it,  thank  you  very 
much,”  says  Reece.  “It’s  almost  mind- 
boggling  how  difficult  [this]  was  to  do.” 

Reece  left  the  agency  in  April  2003  and 
now  works  as  a  consultant  a  couple  of  miles 
from  IRS  headquarters. 

CAN  THIS  PROJECT  BE  SAVED? 

MARK  EVERSON,  A  FORMER  CORPORATE  EXECU- 
tive  who  was  President  Bush’s  deputy  direc¬ 
tor  for  management  at  OMB,  was  appointed 
IRS  commissioner  in  May  2003.  Three  weeks 
later,  he  named  Grams,  the  agency’s  CFO,  to 
the  CIO  job.  By  the  end  of  the  year,  Everson 
and  Grams  had  devised  a  plan  based  on  the 
recommendations  of  consultants.  In  Decem¬ 
ber,  the  IRS  Oversight  Board  made  a  media 
splash  with  its  report  detailing  a  litany  of  man¬ 
agement  screwups  by  both  the  IRS  and  CSC, 
but,  Grams  says,  “there  was  nothing  in  these 
studies  that  shocked  us.” 

Among  its  recommendations,  the  Over¬ 
sight  Board  suggested  that  IRS  business  unit 
leaders  take  ownership  of  the  various  mod¬ 
ernization  projects,  and  that  the  agency  put 
CSC  on  a  short  leash.  In  response,  the  IRS 
changed  the  terms  of  its  agreement  with  CSC 
so  that  most  of  the  work  on  modernization 
would  be  done  at  a  fixed  price,  a  step  Grams 
thinks  should  have  been  taken  at  the  outset. 
The  agency  has  also  scaled  back  its  project 
portfolio  by  25  percent. 

In  addition,  the  agency  has  identified  busi¬ 
ness  unit  leaders  to  champion  specific  proj¬ 
ects.  John  Duder,  the  deputy  commissioner  of 
die  Wage  and  Investment  Division,  which  will 


be  the  major  user  of  the  CADE  system,  now 
spends  around  75  percent  of  his  time  on  the 
project.  CSC  delivered  the  CADE  software  to 
the  IRS  shortly  before  the  new  year,  and  it’s 
being  tested.  Deployment  is  expected  later  this 
year.  Grams  says  he  has  also  decided  to  co¬ 
locate  more  IRS  staff  with  Prime  staff  to 
improve  teamwork.  He  is  in  the  process  of 
hiring  more  project  managers  with  experience 
building  big,  complicated  systems. 

At  CSC,  Jim  Sheaffer,  the  fourth  and  cur¬ 
rent  general  manager  of  Prime,  says  he  has 
brought  in  more  people  at  both  management 
and  staff  levels  who  understand  the  tax  busi¬ 
ness  or  have  worked  on  public-sector  projects. 
“There’s  now  a  collection  of  people  on  both 
sides  who  understand  better  how  we  work 
together  than  there  was  three  or  four  years 
ago,”  he  says.  Sheaffer  adds  that  his  team  has 
learned  from  its  mistakes  and  improved  its 
ability  to  estimate  project  costs  and  schedules. 

Yet  in  February,  CSC  missed  another  dead¬ 
line — to  deliver  the  first  phase  of  an  internal 
accounting  system — prompting  Everson  to 
bar  the  company  from  working  on  two 
upcoming  projects.  Grams  says  firing  the 
company  if  it  misses  another  deadline  is 
among  the  IRS’s  options.  At  a  House  hearing, 
CSC  Federal  Sector  President  Cofoni  argued 


that  future  success  depends  on  “an  increased 
role  in  requirements  definition  and  transition 
planning”  by  the  IRS. 

CSC  officials  say  they  have  succeeded  with 
similarly  complex  projects.  The  company 
recently  completed  the  first  phase  of  a  four- 
year  project  with  the  U.S.  Army  Materiel 
Command  to  decommission  dozens  of  sys¬ 
tems  used  for  managing  logistics  and  replace 
them  with  a  single  instance  of  SAP.  That  proj¬ 
ect  had  some  of  the  hallmarks  of  IRS  mod¬ 
ernization:  decades-old  technology  and 
business  processes;  a  workforce  set  in  its  ways. 
But  the  Army’s  project  managers  got  the  job 
done  by  relentlessly  courting  end  users  and  by 
insisting  that  CSC  would  not  get  paid  unless  it 
met  an  exhaustive  set  of  performance  metrics. 
In  other  words,  the  Army  actively  managed 
the  project,  which  is  something  the  IRS  failed 
to  do. 

Can  this  project  be  saved?  “People  ask,  Is 
modernization  going  to  fail?”  says  Levitan. 
“I  say  we  can’t  let  it  fail.  This  program  must 
succeed  for  the  welfare  of  the  entire  federal 
government.”  BE] 


Senior  Editor  Elana  Varon  writes  about  the  financial 
services  industry  and  public  policy.  E-mail  her  at 
evaron@ciQ.CQm. _ 


56  CIO  APRIL  1,  2004  •  www.cio.com 


The  Wizard  of  «  ? 


Location  matters.  I _ 

Without  it,  you  don't  have  the  whole  story. 

Is  a  web  visitor  in  Kansas  or  not?  Are  they  using  their  true  identity  or  hiding  behind  a 
curtain  of  secrecy?  You  can  ask  for  location  verification,  but  you  need  to  know  the  truth. 

Quova's  geolocation  technology  determines  the  real-world  location  of  a  website 
visitor  -  all  the  way  down  to  their  city.  And  that  can  help  you  avoid  doing  business 
with  the  wrong  people. 

Using  its  unique  closed-loop  methodology,  Quova  lets  you  authenticate  users,  manage 
access  and  configure  intrusion  detection  to  block  traffic  from  certain  hazardous  IP  domains. 
Quova  even  offers  network  connection  and  performance  data  with  pinpoint  accuracy. 

With  Quova's  fully  integrated  enterprise  solutions,  companies  have  unparalleled 
confidence  in  their  network  security  strategies. 


Get  the  whole  story.  Call  Quova  today: 

1-877-737-8682 


O  U  OVA 

MAKING  LOCATION  MATTER 


www.quova.com 


ILLUSTRATIONS  BY  ARTHUR  GIRON 


E-Commerce 


THE  CIO  WEB 
TRANSACTION 


You  gained  a  lot  of  customers 
during  the  Internet  boom.  Now  every 
time  they  use  your  site,  especially 
when  they  don't  buy  anything, 
they’re  inflating  your  operating 
expenses.  Here's  how  to  shed 
those  unwanted  costs  and  reveal  a 
slimmer,  more  profitable  you. 

BY  CHRISTOPHER  LINDQUIST 


►  The  hidden  costs  of  doing 
business  on  the  Web 

►  Strategies  for  reducing 
costs  per  transaction 

►  Howto  choose  between 
front-end  and  back-end 
investments 


www.cio.com  •  APRIL  1,  2004  CIO  59 


E-Commerce 


companies  have  begun  to  do  the  math  and  are 
making  changes  designed  to  decrease  the  costs 
they  incur  per  visitor  (call  them  transaction 
costs)  or  drive  up  the  average  revenue  earned 
from  every  person  who  hits  their  site.  From 
tweaking  the  user  interfaces  in  an  effort  to  help 
visitors  buy  more,  faster,  to  testing  ways  of 
filtering  out  the  window-shoppers,  to  fully 
reconstructing  the  back-end  infrastructure, 
smart  e-commerce  execs  are  finding  ways  to 
wring  every  extra  penny  out  of  what  was  often 
a  slapdash  operation  put  in  place  during  the 
boom-boom  ’90s,  but  which  now  must  justify 
its  existence  based  on  profitability,  not  pizzazz. 

The  savings  are  out  there. 

How  you  find  them  depends  on  the  partic¬ 
ular  challenge  your  business  is  facing. 


CHALLENGE: 

WINDOW-SHOPPERS 

Sabre  Holdings  is  the  $2  billion  cor¬ 
poration  behind  such  travel  serv¬ 
ices  as  Travelocity,  the  Sabre  Travel 
Network  and  GetThere.  Few  in¬ 
dustries  have  been  changed  by  the  Web  as 
much  as  travel. 

“The  basic  shift  is  from  expert  agents — 
professional  agents — to  consumers  or  intu¬ 
itive  users,”  says  Craig  Murphy,  CTO  at  Sabre 
Holdings.  “An  expert  agent  wants  targeted 
information;  a  consumer  wants  more  options. 
More  options  take  more  data  processing.” 

As  consumers  demand  more  features — 
everything  from  search  tools  to  weather 
reports — they  are  also  more  likely  to  spend  time 
browsing  and  dreaming  about  a  trip  than  they 
are  actually  buying  tickets.  Consequently,  the 
“look  to  book”  ratio  is  going  up,  Murphy  says. 

Since  keeping  costs  low  is  key,  Sabre  last 
year  began  to  shift  from  HP-UX  Unix  plat¬ 
forms  to  Red  Hat  Enterprise  Linux  AS  on  Intel 
running  the  open-source  MySQL  database. 

The  reasoning  behind  this  change  is 
straightforward.  With  proprietary  systems, 
every  time  Sabre  needed  to  add  a  server 
because  of  increased  load  on  the  site,  it  had  to 
pay  significant  incremental  hardware  and 
software  costs.  But  with  Linux  and  MySQL, 
Sabre  can  duplicate  a  standard  software  con¬ 
figuration  onto  a  low-cost  Intel-based  com- 


How  many  webpages  can  you 
serve  for  a  penny? 

Do  you  know?  Do  you  care?  You  should. 
While  your  e-commerce  operation  may  not 
generate  the  traffic  of  an  Amazon  or  an  eBay, 
that  doesn’t  mean  you  shouldn’t  be  concerned 
about  how  much  each  visitor  costs  you. 

Because,  almost  invisibly,  those  costs  may 
be  bleeding  you. 

In  the  early  days  of  the  Internet  boom, 
“stickiness”  was  the  goal.  Drive  the  masses  to 
your  URL,  trap  them  with  the  digital  flypaper 
of  your  clever  applets  and  riveting  content — 


and  worry  later  about  how  you  were  going  to 
make  money  off  them. 

Now  it  is  later. 

For  certain,  the  Web  has  cut  a  lot  of  fat  from 
the  cost  of  dealing  with  customers.  Self-service 
online  apps  reduce  the  need  for  customer  serv¬ 
ice  reps.  Online  sales  cut  the  requirement  for 
expensive  storefronts  and  pricey  human  help. 
But  companies  have  already  extracted  all  the 
easy  dollars;  the  bottom-line  battlefield  is 
beginning  to  move  to  the  pennies. 

Spurred  by  a  desire  to  find  any  and  every 
way  possible  to  add  to  the  bottom  line,  many 


60  CIO  APRIL  1,  2004  •  \n\nw.c'\o. com 


COMPANIES  THAT  WERE 
JUST  IDEAS  YESTERDAY 
RUN  SAP 


What  if  you’re  onto  something  hig,  but  aren’t  big  yet?  Start  with  SAP®  solutions  for  small  and  midsize  companies. 
Solutions  designed  to  fit  any  size  business  —  and  any  size  budget.  And  because  they’re  built  with  expansion  in 
mind,  they  won’t  just  help  you  grow,  they  will  grow  with  you.  Visit  sap.com/ideas  or  call  800  880  1727,  because 
we  hav  e  a  few  hig  ideas  of  our  own. 


©2004  SAP  AG.  SAP  and  the  SAP  logo  are  trademarks  and  registered  trademarks  of  SAP  AG  in  Germany  and  several  other  countries 


E-Commerce 


puter  for  a  fraction  of  the  price.  So  the  day¬ 
dreaming  jet-setters  can  keeping  dreaming, 
without  breaking  Sabre’s  bank. 

Solution:  Use  open-source  software  to 
reduce  overall  computing  costs. 

CHALLENGE:  BUSINESS 
ACTIVITY  PEAKS  AND  VALLEYS 

or  H&R  Block,  keeping  costs  under 
control  means  finding  a  balance 
between  having  the  horsepower  to 
meet  peaks  in  business  while  not  sit¬ 


ting  on  millions  of  dollars  of  idle  hardware 
during  lulls  (which  is  an  issue  for  any  business 
with  fluctuating  activity,  whether  your  cycles 
encompass  seasons,  quarters  or  even  certain 
days  of  the  week).  Block  found  its  answer  not 
in  cheaper  software  and  hardware,  but  in  let¬ 
ting  someone  else  deal  with  the  problem. 

Block  has  what  may  be  the  ultimate  sea¬ 
sonal  business,  with  the  online  peak  coming 
Jan.  1  through  April  15.  (In  2003,  more  than 
2. 1  million  U.S.  taxpayers  used  Block’s  online 
tax  services.  Block  CEO  Mark  Ernst  publicly 
stated  early  this  year  that  the  company  expects 


to  serve  20  percent  to  40  percent  more  online 
clients  in  2004. )  Tracking  the  cost  of  every’  cus¬ 
tomer  requires  modeling  every  change  to  the 
systems  not  only  on  the  individual  level, 
through  user  interface  research,  but  also  in  the 
aggregate,  using  scalability'  testing  tools  from 
the  likes  of  Empirix. 

And  to  keep  from  owning  a  data  center  that 
gathers  dust  from  May  to  December,  Block 
found  a  hosting  provider  four  years  ago  (the 
company  won’t  say  who)  that  was  willing  to 
ramp  up  computing  power  for  the  tax  season, 
and  then  unplug  CPUs — and  not  charge  Block 
for  them — during  the  quiet  time. 

“We  scale  up  for  our  peaks,  and  we  scale 
back  down  for  our  normal  business.  And  then 
during  the  off-season  we  go  to  a  very  minimal 
configuration.  Our  cost  is  variable  along  with 
that,”  says  Roger  Zaremba,  vice  president  for 
enterprise  technology  at  Block.  “We’ve  crafted 
what  we  think  is  a  very  competitive  solution.” 

Block  has  its  eye  on  the  future  as  well. 
“Working  with  various  folks  like  HP,  we’re  try¬ 
ing  to  architect  all  of  our  systems  to  provide  a 
technology-on-demand  scenario,”  Zaremba 
says.  The  ideal  situation,  he  adds,  will  be  a  time 
when  Block  can  turn  on  a  service,  then  turn  it 
off,  “and  truly  be  charged  for  just  what  we  use.  ” 
Solution:  Find  a  providerthat  will  turn 
off  the  meter  when  your  business  is 
idling. 

CHALLENGE:  DIFFERENT 
CUSTOMERS  WITH  DIFFERENT 
DEMANDS 

ecognizing  that  different  types  of  cus¬ 
tomers  use  Rapsheets.com  for  vari¬ 
ous  purposes,  the  company  has 
developed  a  sophisticated  infrastruc¬ 
ture  to  avoid  wasting  expensive  processing  time 
on  simple  tasks.  Rapsheets  owns  the  largest  pri¬ 
vately  held  database  of  criminal  records  in  the 
United  States  (160  million  records  covering 
about  95  percent  of  the  U.S.  population)  and 
allows  companies  and  individuals  to  search 
those  records  for,  say,  the  nanny  who  has  a 
couple  felonies  that  didn’t  show  up  on  her 
resume  or  the  wannabe  security  guard  with  out¬ 
standing  warrants  in  three  states. 


62  CIO  APRIL  1,  2004  •  www.cio.com 


Linux  for  Your  Technology  Waistline 

How  a  new  Linux  platform  helped  Amazon  slim  down 

Thirty-nine  million  active  customer  accounts.  That’s  the  number  Amazon.com 
was  reporting  in  January.  Given  a  customer  base  larger  than  the  population  of 
California,  it’s  easy  to  see  why  Amazon  would  consider  transaction  costs  a 
strategic  issue.  In  fact,  the  company  has  approached  the  reduction  of  such 
costs  with  a  scientific  discipline.  And  Amazon— along  with  the  likes  of  Sabre 
Holdings  and  Rapsheets— has  come  to  the  conclusion  that  Linux  can  help. 

For  competitive  reasons,  Amazon  execs  won’t  provide  many  nitty-gritty  details  about  what 
they’re  doing,  but  they  will  talk  results.  According  to  Tom  Killalea,  vice  president  for  technol¬ 
ogy  infrastructure,  the  company  credits  moving  to  a  Linux  platform  for  much  of  a  quarterly 
reduction  in  technology  and  content  costs  in  2001.  And  Sabre  CTO  Craig  Murphy  expects  at 
least  an  80  percent  decrease  in  overall  computing  costs  as  a  result  of  his  company’s  move  to 
adopting  Red  Hat  Enterprise  Linux  AS  for  Sabre’s  server  farm. 

The  continuing  reduction  of  computing  costs  has  even  given  Amazon  a  chance  to  worry 
about  extracting  savings  from  places  most  companies  don’t  even  consider. 

“We  focus  much  of  our  attention  on  areas  where  costs  aren’t  following  a  downward  trend, 
such  as  electricity  and  people,"  says  Killalea.  “And  we  ask  questions  like,  ‘What’s  the  hard¬ 
ware  platform  that  provides  me  with  the  most  units  of  work  performed,  such  as  webpages 
generated,  per  [unit  of  electricity]?”’ 

While  moving  to  Linux  won’t  let  every  company  turn  to  their  electric  bills  for  the  next  round 
of  savings,  savings  apparently  do  exist  for  those  willing  to  take  the  open-source  plunge.  -C.L. 


Given  increasing  concern  about  liability 
and  safety,  such  background  checks  are 
becoming  the  norm  (the  service  currently  has 
between  10,000  and  15,000  companies  as 
customers,  including  national  contracts  with 
Little  League  Baseball,  the  Salvation  Army 
and  YMCA),  and  Rapsheets  has  watched  its 
transaction  volume  increase  by  an  average  of 
20  percent  per  month  during  the  past  year. 

The  company  started  in  1 997  with  a  fairly 
traditional  approach  to  scaling  its  applica¬ 
tions.  As  transactions  increased,  the  company 
bought  bigger  boxes  and  more  CPUs.  Unfor¬ 
tunately,  it  became  apparent  that  the  expan¬ 
sion  couldn’t  continue.  The  combination  of 
rising  hardware  and  software  costs  had 
reached  a  desperate  point  by  November  2002. 
The  company  also  found  itself  sitting  on 
mountains  of  unused  computing  power  dur¬ 
ing  slow  stretches,  as  customers  tend  to  submit 
requests  primarily  in  the  middle  of  the  week 
and  do  multiple  searches  on  Saturdays  when 
they  want  to  run  through  a  list  of  potential 


new  hires  at  one  time.  “We  were  paying  for  a 
lot  of  depth  of  performance  in  off-peak 
times,”  CTO  Keith  Grimes  recalls. 

So  that  month,  the  company  decided  to 
take  another  look  at  the  situation  and  seek  a 
long-term  solution  for  keeping  transaction 
costs  in  check.  The  result  was  a  complete  over¬ 
haul.  “We  rewrote  applications  and  rearchi¬ 
tected  our  hardware,”  Grimes  says. 

So-called  “deep  searches,”  where  Rap¬ 
sheets  looks  through  records  of  multiple  juris¬ 
dictions  and  even  checks  for  intentionally  or 
accidentally  misspelled  names  or  transposed 
numbers,  require  more  computing  power.  But 
Grimes  says  60  percent  to  70  percent  of 
searches  require  less  exhaustive  techniques — 
perhaps  nothing  more  than  matching  a  name 
and  date  of  birth  to  a  record.  Previously,  how¬ 
ever,  both  types  of  searches  ran  on  the  same 
powerful — and  expensive — hardware. 

Now  that  has  changed.  Custom-built  mid¬ 
dleware  determines  on  the  fly  the  type  of  search 
required  and  sends  the  search  to  systems  tuned 


for  the  task.  Deep  searches  still  go  to  the  more 
potent  multi-CPU  boxes.  But  the  middleware 
layer  sends  lower  priority  and  simpler  requests 
to  low-cost  IBM  blade  servers.  And  Grimes 
didn’t  stop  there.  Each  blade  can  run  a  differ¬ 
ent  combination  of  operating  system  and 
application,  allowing  him  to  tune  perform¬ 
ance — and  reduce  costs — even  further.  Some 
searches  run  best  on  Linux,  others  on  Win¬ 
dows.  And  with  blades,  Grimes  can  add  new 
horsepower — or  reconfigure  the  old — in 
hours  instead  of  days  to  deal  with  new  product 
offerings  or  new  customer  requirements. 

The  middleware  also  lets  Grimes  add  new 
resources  regardless  of  their  platform — includ¬ 
ing  Web  services.  “I  could  literally  plug  in  a 
Unix  box,  a  Sun  box  or  a  big  IBM  AIX  box 
that  will  handle  a  hundred  times  what  I’m 
doing  now,  and  the  middleware  wouldn't 
know  the  difference,”  he  says.  While  one 
search  might  use  1 0  different  systems,  the  user 
sees  the  same  results.  But  Grimes — and  his  bot¬ 
tom  line — will  certainly  notice  the  difference. 

Solution:  Install  middleware  to  route 
less  demanding  requests  to  cheaper 
blade  servers. 

CHALLENGE:  INCREASING 
REVENUE  PER  USER 

ome  people  would  argue  that  com¬ 
panies  should  worry  less  about  sav¬ 
ing  pennies  on  the  back  end  when 
there  are  still  dollars  to  be  extracted 
from  the  front.  “I’m  having  a  hard  time  believ¬ 
ing  that  infrastructure  costs  are  where  the 
biggest  improvement  [in  reducing  transaction 
costs]  is  going  to  come  from,”  says  Bob 
Chatham,  principal  analyst  at  Forrester 
Research.  “I’m  looking  at  [the  cost  issue]  more 
from  effectiveness  and  quality  of  customers’ 
experience.” 

And  many  companies  are  constantly  look¬ 
ing  for  ways  to  do  just  that. 

Wells  Fargo’s  Wholesale  Internet  Solutions 
group,  for  instance,  is  certainly  investigating 
infrastructure  cost-savers  such  as  blade  servers. 
But  according  to  Executive  Vice  President 
Danny  Peltz,  such  savings  are  secondary  to 
finding  ways  to  increase  revenue  per  user  on 


www.cio.com  •  APRIL  1,  2004  CIO  63 


E-Commerce 


the  front  end.  To  do  that,  his  group  is  constantly 
looking  for  ways  to  make  the  Web  interface 
used  by  commercial  customers  easier  to  navi¬ 
gate,  as  well  as  searching  for  new  services  to 
add.  But  generating  more  revenue  per  customer 
isn’t  as  simple  as  rearranging  menus  and  adding 
features.  Where  some  companies  would  love 
to  put  up  a  website  and  immediately  get  rid  of 
human  contact  points  to  save  costs,  Peltz’s 
group  actually  takes  the  time  to  train  customers 
in  how  to  use  the  site  most  effectively. 

Training  can  take  many  forms,  from  online 
tutorials  to  classrooms  to  one-on-one  sessions 


with  key  customers.  Wells  Fargo  is  convinced 
that  helping  customer  companies  use  site  serv¬ 
ices  goes  a  long  way  toward  keeping  them 
happy — and  increases  the  likelihood  that  they’ll 
take  advantage  of  (and  buy)  more  services. 

“It’s  not  really  about  cost  reduction,”  Peltz 
says.  “It’s  about  the  ability  to  scale  without 
adding  costs.  ”  To  that  end,  the  group  has  con¬ 
stantly  tweaked  the  site  (Peltz  claims  14  major 
upgrades  since  the  middle  of  2000). 

Self-service  tools  have  been  a  big  part  of  the 
changes,  allowing  customers  to  modify  such 
things  as  their  policies  and  access  rules  without 


intervention  from  bank  employees.  For 
example,  a  treasurer  could  set  limits  on  wire 
transfers  for  various  clerks,  then  easily  change 
the  limits  as  needed  without  help  from  any¬ 
one  at  Wells  Fargo.  The  approach  seems  to  be 
working.  According  to  Peltz,  the  Wholesale 
Internet  Solutions  group  has  grown  from  serv¬ 
ing  2,200  customers  at  the  end  of  2000  to 
more  than  22,000  at  the  end  of  2003 — all 
without  making  significant  staff  additions  and 
their  related  costs  to  his  group. 

Solution:  Train  your  customers  to  use 
your  site  most  effectively. 


CHALLENGE:  REDUCING 
NUMBER  OF  TRANSACTIONS 
ONSITE 

Peltz’s  group  deals  with  large  cus¬ 
tomers  spending  large  dollars  with 
Wells  Fargo,  so  training  is  a  cost- 
effective  option.  For  other  sites,  how¬ 
ever,  simpler,  cheaper  solutions  are  in  order. 

At  H&R  Block,  for  instance,  the  company 
can’t  afford  to  train  each  of  the  more  than 
2  million  users  who  show  up  during  tax  sea¬ 
son.  Instead,  it  concentrates  on  usability  testing 
to  make  sure  tax-filers  get  what  they  want  (and 
only  what  they  want),  and  don’t  spend  time 
using  computing  resources  they  don’t  need. 

The  company  allows  users  to  complete  a 
tax  return  online,  for  instance,  and  doesn’t 
require  them  to  pay  a  fee  until  they  actually 
submit  the  return.  Designed  badly,  the  inter¬ 
view  process  that  generates  the  return  could 
end  up  running  millions  of  calculations  for 
thousands  of  users  who  never  give  Block  a 
dime.  “We’ve  done  a  lot  to  optimize  our  inter¬ 
view  [in  order  to  reduce  those  costs],”  says 
Neal  Shaw,  divisional  information  officer  for 
Block’s  e-solutions  group.  He  notes  that  the 
company  tries  to  identify  early  on  if  there  are 
sections  of  the  tax  interview  a  user  can  avoid 
(perhaps  because  she  doesn’t  have  investment 
income  or  business  activities),  thereby  saving 
steps  and  reducing  Block’s  overall  cost  to  com¬ 
plete  the  return.  In  one  case,  testing  discovered 
that  users  didn’t  want  to  see  running  subtotals 
as  they  filled  out  the  return.  Block  cut  the  num¬ 
ber  of  times  subtotals  appeared,  increasing 


64  CIO  APRIL  1,  2004  •  www.clo.com 


user  satisfaction  while  reducing  processing 
time — and  costs — on  the  back  end. 

Solution:  Test  your  site  to  find  out 
what  your  users  want  and  need. 

CHALLENGE:  DEADBEATS 

ut  what  about  those  customers  you 
don’t  want  at  all?  Block’s  site  is  full 
of  calculators,  educational  content 
and  tax  information — all  available 
whether  you  use  it  for  your  returns  or  not. 
Shaw  admits  that  such  features  attract  some 
lurkers  who  never  plan  to  buy,  but  “that’s  the 
price  of  doing  business,”  he  says.  “We  look  to 
that  as  being  the  kind  of  content  that  helps  us 
offer  the  most  value  to  our  customers.” 

Amazon.com  feels  the  same  way  and  doesn’t 
see  stickiness  as  a  problem.  “We’ve  always 
sought  to  be  the  place  where  customers  can  find 
and  discover  anything  they  might  want  to  buy 


online,”  says  Amazon  Vice  President  for  Tech¬ 
nology  Infrastructure  Tom  Killalea.  To  that 
end,  the  company  has  added  numerous 
processing-intensive  features,  including  online 
audio  samples  and  a  “Search  Inside  the  Book” 
section,  which  lets  customers  search  the  full  text 
of  120,000  of  the  tomes  Amazon  sells. 
“Increased  stickiness  has  been  a  happy 
byproduct  of  this  sort  of  innovation,  with  dis- 


Stay  on  the  Right  Web  Diet 


Subscribe  to  the  weekly  WebBusiness  Insights 
to  keep  up  with  the  latest  features,  online 
exclusives  and  other  relevant  stories  from  our 
sister  publications  CSO  magazine  and 
Darinwmag.com.  It's  free  and  contains  no 
calories.  Go  to  www.cio.com/newsletters 

cio.com 


covery  being  the  main  goal,”  Killalea  says. 

But  not  every  site  sees  it  that  way.  While 
stickiness  can  assist  a  general-consumer  retail 
operation,  it  may  not  be  an  ideal  situation  for 
companies  seeking  a  more  restricted  clientele. 
“Who  are  you  getting  into  your  website?” 
asks  Jakob  Nielsen,  a  principal  at  product 
development  consultancy  Nielsen  Norman 
Group.  “Are  you  getting  motivated  customers 
or  the  riffraff?  It  is  becoming  clear  that  sheer 
numbers  of  unique  visitors  are  detrimental.” 

One  of  the  more  recent  attempts  by  many  e- 
commerce  sites  to  separate  the  paying  wheat 
from  the  deadbeat  chaff  is  to  force  visitors  to 
register,  providing  some  personal  information 
in  return  for  being  able  to  order  from  or  even 
view  content  on  a  website.  But  experts  say 
companies  must  be  extremely  careful  with 
how  they  use  such  strategies  or  they  will  end 
up  chasing  good  customers  away  as  well. 

Companies  think,  “Oh,  we’re  going  to  do 


this  fancy  marketing”  with  registration 
forms,  says  Nielsen.  But  using  such  forms 
increases  the  possibility  that  a  customer  may 
never  actually  use  the  site.  “There’s  the  risk  of 
browser  crash  ing,  of  the  modem  going  down, 
that  the  user  doesn’t  understand  the  question. 
It  gives  customers  one  more  page  to  think 
about  whether  [they]  should  do  this  or  not.” 

Salesmen,  Nielsen  points  out,  would  never 
do  this.  At  the  moment  when  someone  is 
about  to  sign  on  the  dotted  line,  they  don’t  say, 
“Oh,  by  the  way  here  are  five  other  things  to 
think  about,”  Nielsen  says. 

Instead,  companies  wanting  to  keep  unprof¬ 
itable  users  off  their  sites  should  look  for  other 
solutions.  Nielsen  suggests  using  search  engines 
as  a  first  line  of  defense.  “If  you’re  advertising 


on  search  engines,”  he  says,  “screen  out  the  key¬ 
word  free.”  Doing  so  will  keep  many  of  the 
cheapskates  from  dropping  by  and  wasting 
your  time.  Similarly,  he  says,  put  the  price  of 
your  products  in  the  ad  or  meta  tags  used  by  the 
search  engine.  If  your  products  cost  $  1 0,000, 
you  don’t  need  to  waste  time  catering  to  users 
looking  for  something  under  20  bucks. 

Solution:  Use  search  engines  as  a  first 
line  of  defense. 

FIRST  STEPS 

hich  way  to  reduce  costs  and 
increase  profitability  will 
work  for  you?  It  depends  on 
your  needs — and  budget.  Full- 
scale  infrastructure  changes  are  expensive  and 
can  be  disruptive,  even  if  you  know  the  ROI 
will  eventually  be  realized.  But  don’t  think 
such  shifts  are  just  for  big  companies.  Sabre’s 
Murphy  says  that  most  companies  could  ben¬ 
efit  by  a  change  similar  to  his  company’s. 
“High  volumes  make  the  payoff  bigger,”  he 
agrees.  “But  the  move  to  open  source  will  pro¬ 
vide  benefits  across  all  of  computing.” 

If  you’re  not  ready  for  that  kind  of  leap, 
smaller  user  interface  tweaks  are  an  easy  way 
to  get  started.  “Probably  the  topmost  [goal] 
would  be  to  develop  a  mind-set  of  experi¬ 
mentation,”  says  Forrester’s  Chatham,  adding 
that  companies  must  quantitatively  test  cus¬ 
tomer  experience  and  not  be  afraid  to 
acknowledge  that  the  Web  isn’t  always  the 
best  means  of  customer  contact. 

The  key  is  to  do  something,  not  nothing. 
Web  usage  will  only  increase  in  the  coming 
years,  and  early-mover  companies  are  learning 
facts  about  customer  costs  now  that  will  ulti¬ 
mately  benefit  them  when  all  the  easy  dollars 
have  been  pulled  from  the  system.  Web  serv¬ 
ices,  for  instance,  is  just  around  the  corner,  with 
the  potential  to  drive  a  huge  volume  of  interac¬ 
tion  on  systems  that  once  dealt  with  only  the 
meandering  clicks  of  human  users.  Whether 
that  volume  is  an  opportunity  or  an  onslaught 
depends  on  how  well  you’ve  prepared.  HE! 


Technology  Editor  Christopher  Lindquist  can  be 
reached  at  cimdquist@cio.com. 


Don’t  think  that  f  Ull""SCalC 

infrastructure  shifts— and  their 

paVOffS  “  are  just  for 

big  companies. 


www.cio.com  •  APRIL  1,  2004  CIO  65 


ROADMAP 


UMPIRED  ENTERPR/S£ 


@2004.  Sybase.  Inc  Sybase  and  the  Sybase  logo  are  registered  trademarks  ot  Sybase.  Inc.  XPLANATIONS”'"  by  Xplane.com  ®.  All  other  company  and  product  names  menboned  may  be  trademarks  of  the  respecbve  companies  with  which  they  are  associated 


*2  FIELD  FORCE  AUTOMATION 


^NUMBER 


PROVIDER 


Data  Ready  To  Go 

Sybase  Data  Management  solutions 
deliver  the  data  agility  that  makes 
field  force  automation  possible.  Real 
results.  Real  ROI.  Real  fast. 


Source:  IOC.  Worldwide  Mobile  Middleware  Competitive  Analysis.  2003: 
Forecast  for  2003-2007.  IOC  #29580.  Jul  2003. 


r - 

For  our  Britannia  Airways  case  study  visit: 

www.sybase.com/ffa 


Extend  Your  Reach 


Sybase  M-Business  Anywhere"  lets 
you  mobilize  the  apps  you  already 
have  so  you  can  reap  more  value  from 
your  current  technology  investments. 


Sybase  I 


The  Enterprise.  Unwired. 


Discover  how  Britannia  Airways 

saved  over  one  million  dollars 
and  improved  staff  management 
processes  with  Sybase,  the 
world’s  number  one  provider 
of  mobile  middleware* 


Security  Everywhere 

For  real-time  transactions,  nothing 
is  better  or  more  secure  than  Sybase 
SQL  Anywheref  the  world's  leading 
mobile  data  management  and 
synchronization  solution. 


Customer  Relationship  Management 


banks 


Following  mergers,  banks  used  to  sacrifice  customer  service  in  favor  of  speedy 
integration  and  cost-cutting.  But  no  more.  Here’s  how  CIOs  are  helping  banks 
implement  a  new  postmerger  mandate  to  focus  on  customer  service. 

BY  ALICE  DRAGOON 


WITH  SOME  80  MERGERS  ALREADY  BEHIND  THEM,  THE  I.T.  EXECUTIVES  AT  FIRST  UNION  KNEW  THAT  THE  CORESTATES 


Reader  ROI 

►  Why  merging  banks  no 
longer  think  that  cheaper 
and  faster  technology 
integration  is  best 

►  Learn  how  CIOs  are  using 
technology  to  put  the 
customer  first 

►  How  IT  and  business  execu¬ 
tives  are  working  together 
to  create  customer-centric 
cultures 


acquisition  boded  trouble  long  before  it  made  headlines  as  a  customer  service  disaster.  Then-CEO 
Ed  Crutchfield  had  paid  a  whopping  $17  billion  (5.3  times  the  book  value)  to  buy  the  Pennsyl¬ 
vania  banking  franchise  in  late  1997.  And  that  meant  First  Union  would  have  to  deliver  some 
spectacular  cost  savings  in  short  order  to  prove  to  Wall  Street  that  the  deal  made  sense.  For  IT, 
that  pressure  to  slash  costs  translated  into  not  enough  time  to  plan  or  execute  the  conversion  of 
CoreStates’  customer  data  onto  First  Union’s  systems.  Some  applications  weren’t  even  tested 
before  they  went  live.  To  make  matters  worse,  layoffs  at  the  branches  left  the  remaining  tellers 
stretched  too  thin  as  they  floundered  to  learn  the  new  technology. 

Predictably,  customer  service  plummeted,  and  nearly  one  in  five  CoreStates  customers  fled  to 
competitors  in  a  matter  of  months. 

The  problems  at  First  Union  were  not  isolated.  In  the  merger-mad  ’90s,  banks  expected  to  lose 
as  many  as  1 5  percent  of  their  customers  after  a  merger.  As  long  as  they  succeeded  in  quickly  slash¬ 
ing  costs  and  making  the  deal  pay  off  for  shareholders,  banks  just  didn’t  worry  about  it.  Wells 
Fargo,  for  instance,  suffered  a  similar  fate  when  it  acquired  First  Interstate  in  1 996  and  rushed 


6  8  CIO  APRIL  1,  2004  • 


www.cio.com 


PHOTO  BY  MILTON  MORRIS 


-.v.v-  * 


RH?! 


Jean  Davis,  senior  executive  VP 
and  head  of  IT  for  Wachovia,  says 
that  following  the  bank’s  merger 
with  First  Union,  “We  looked  each 
other  in  the  eye  and  said,  ‘This  time 
we  don’t  plan  to  lose  a  customer.’” 


Customer  Relationship  Management 


the  integration  process  in  its  haste  to  cut  costs. 
The  CEO  ended  up  apologizing  to  share¬ 
holders  for  the  bungled  acquisition.  But  First 
Union  and  Wells  Fargo  had  the  good  sense  to 
learn  from  their  mistakes.  Both  have  since 
engaged  in  carefully  planned,  well-executed 
mergers  in  which  keeping  customers  happy — 
not  cutting  costs — was  the  number-one  pri¬ 
ority.  Wells  Fargo  beat  analysts’  earnings  per 
share  estimates  after  merging  with  Norwest; 
in  contrast,  virtually  every  previous  large  bank 
merger  since  1995  had  failed  to  achieve  earn¬ 
ings  targets.  First  Union  merged  with 
Wachovia,  and  today  the  combined  bank  can 
point  to  steadily  increasing  customer  satisfac¬ 
tion  scores  (6.57  out  of  a  perfect  7,  according 
to  Wachovia)  and  a  5 1  percent  jump  in  stock 
price  since  the  merger  was  announced. 
“Everyone  has  had  to  fail  once  big-time  before 
they  got  religion,”  says  Tom  Brown,  CEO  of 
Second  Curve  Capital,  a  financial  services 
investment  company. 

As  a  new  round  of  megamergers  gets  under 
way — with  Bank  of  America  acquiring  Fleet 
and  Bank  One  joining  forces  with  J.P.  Mor¬ 
gan  Chase — merging  banks  would  do  well  to 
learn  from  these  customer  nightmare  sagas 
and  convert  now  to  the  customer-first  religion. 
Since  it  costs  five  times  as  much  to  acquire  a 
new  customer  as  it  does  to  maintain  a  good 
relationship  with  an  existing  one,  it’s  more 
important  in  the  long  run  to  hang  on  to  your 
customers  during  a  merger  than  it  is  to  meet 


an  aggressive  deadline  for  squeezing  out 
excess  costs.  Keeping  customers  happy, 
though,  is  devilishly  difficult.  Delivering  accu¬ 
rate  account  balances,  having  ATM  cards  that 
work,  and  making  sure  tellers  can  answer 
questions  and  handle  transactions  efficiently 
all  depend  on  seamlessly  merging  the  two 
banks’  customer  data  and  systems.  Instead  of 
being  under  the  gun  to  cut  costs  and  convert 
systems  quickly,  CIOs  at  customer-savvy 
banks  are  now  expected  to  produce  technol¬ 
ogy  conversions  so  trouble-free  that  cus¬ 
tomers  won’t  notice  anything  beyond  the  new 
logo  on  their  bank  statements. 

Here’s  a  look  at  how  some  CIOs  are  now 
making  it  possible  for  banks  to  put  customers 
first  during  mergers — and  why  focusing  on 
customers  is  an  approach  that  merging  organ¬ 
izations  can  take,  well,  all  the  way  to  the  bank. 

Know  What  You’re 
Getting  Into 

hen  BankAmerica  merged  with 
NationsBank  to  form  Bank  of  Amer¬ 
ica,  BankAmerica  was  supposed  to  convert  to 
NationsBank’s  “model  bank”  platform  for 
its  deposit  processing  system,  generating 
$500  million  in  onetime  savings,  according  to 
Brown,  who  is  also  a  former  Wall  Street  ana¬ 
lyst  and  cofounder  of  Bankstocks.com.  But 
had  either  bank’s  CEO  checked  with  his  IT 
staff,  he  would  have  discovered  that  the  plat¬ 
form  was  not  robust  enough  to  handle  the  vol¬ 


ume  from  California.  Today,  that  state 
remains  on  a  separate  processing  system.  If  a 
customer  opens  an  account  in  Charlotte, 
N.C.,  and  travels  to  the  West  Coast,  a  Cali¬ 
fornia  branch  won’t  be  able  to  access  her 
account.  An  alumnus  of  Bank  of  America  tells 
Brown  that  the  bank  is  now  running  on  five 
deposit  systems — something  that  will  make 
integration  of  FleetBoston  into  Bank  of  Amer¬ 
ica’s  systems  all  the  more  difficult. 

At  Southwest  Bank  of  Texas,  Executive  Vice 
President  and  CTO  Buddy  Cox  tries  to  avoid 
such  unpleasant  surprises  by  getting  involved 
early  in  the  evaluation  process.  Just  after  finan¬ 
cial  models  show  that  an  acquisition  would 
make  economic  sense,  he  and  his  team  start 
looking  for  any  infrastructure  compatibility 
issues  that  would  need  to  be  addressed  before 
the  conversion.  For  example,  when  the  bank 
was  purchasing  a  three-bank  franchise,  early 
due  diligence  revealed  that  each  bank  ran  on  a 
different  system,  meaning  that  each  bank 
would  have  to  be  converted  separately  to  min¬ 
imize  customer  impact.  Knowing  that,  Cox 
built  extra  time  into  the  merger  time  line,  and 
the  bank  was  able  to  account  for  the  added 
expense  in  the  purchase  price.  He  also  looks  at 
such  things  as  whether  the  candidate  has  just 
signed  a  five-year  outsourcing  deal  with  an 
expensive  exit  clause.  In  such  cases,  he  recom¬ 
mends  adjusting  the  deal’s  purchase  price  to 
reflect  that.  “Having  tech  teams  or  leadership 
involved  early  in  the  deal  process  is  a  critical 
component  to  deal  success,”  says  Cox. 

Experience  is  also  a  great  teacher.  When  it 
merged  with  Wachovia  in  2001,  First  Union 
was  still  reeling  from  the  disastrous  CoreStates 
merger.  And  Wachovia  had  recently  fumbled 
the  acquisition  of  two  Virginia  banks  by 
attempting  to  convert  both  over  the  same 
weekend.  “We  looked  each  other  in  the  eye 
and  said,  ‘This  time  we  don’t  plan  to  lose  a  cus¬ 
tomer,”’  says  Jean  Davis,  senior  executive  vice 
president  and  head  of  IT,  e-commerce  and 
operations  for  the  newly  merged  institution, 
which  took  the  Wachovia  name. 

Ken  Thompson,  previously  the  First  Union 
CEO  and  now  the  new  Wachovia  CEO, 
issued  a  challenge  to  employees  and  a  com¬ 
mitment  to  customers  and  shareholders:  The 


New  Priorities,  New  Strategies 

The  old  approach  to  megamergers  versus  today’s 


Focus 

Integration 

Mentality 

Process 

Customer 

attrition 


OLD  PARADIGM 


Wall  Street 
One-year  target 
Acquisition 

Decentralized  integration 

10-15  percent  merger- 
related  expected  losses 


NEW  PARADIGM 


The  Customer 

Three-to-four-year  target 

Merger  of  equals 

Centralized  integration 

Strive  for  no  merger- 
related  losses 


NOTE:  Megamergers  defined  as  mergers  between  banks  of  $60  billion  or  more. 
SOURCES:  TowerGroup,  Wachovia 


70  CIO  APRIL  1.  2004  •  www.cio.com 


PHOTO  BY  DANNY  TURNER 


At  Southwest  Bank  of  Texas,  CTO  Buddy  Cox  gets  involved  early  in  the  acquisition 
process  to  make  sure  there  are  no  nasty  technology  or  infrastructure  surprises 
following  a  merger. 


two  banks  would  complete  the  merger  with 
no  customer  impact.  The  bank  also  went  pub- 
lic  with  its  customer  service  rankings  and 
pledged  to  hit  specific  customer  service  rating 
targets  throughout  the  merger  period. 

For  Davis,  Thompson’s  challenge  had  a 
profound  impact  on  how  she  approached  the 
monumental  task  of  systems  integration.  “It 
wasn’t  about  a  time  line  being  as  quick  as  it 
could  possibly  be,”  she  says.  “It  was  not  about 
making  it  as  cheap  as  it  could  possibly  be.  It 
was  always,  ‘What  will  the  customer  get?”’ 

Remove  Politics 
from  the  Equation 

eciding  which  bank’s  technology  to  use 
after  the  merger  happens  is  a  process  nat¬ 
urally  fraught  with  politics.  Jim  Eckenrode, 
vice  president  of  consumer  banking  research 
at  TowerGroup,  likens  IT  departments  to  col¬ 
lections  of  fiefdoms.  “If  there’s  no  centralized 
control,”  he  says,  “often  inappropriate  deci¬ 
sions  are  made — decisions  that  are  good  for 
somebody’s  career,  but  not  necessarily  good 
for  customers,  the  bank  or  shareholders.”  To 
avoid  that  fate,  IT  leaders  need  to  be  clear 
about  the  IT  game  plan.  “A  well-defined, 
clearly  articulated  IT  strategy  from  the  top 
down  is  very  key,”  says  George  Tubin,  a  con¬ 
sumer  banking  senior  analyst  at  TowerGroup. 

Before  Wachovia  and  First  Union  began 
the  process  of  choosing  systems,  Davis  and 
her  team  worked  with  each  line  of  business 
to  draft  a  target  environment  design.  That 
meant  first  defining  the  desired  customer 
experience  and  then  figuring  out  what  tech¬ 
nology  would  be  needed  to  support  that. 
Each  line  of  business  presented  its  design  doc¬ 
ument  to  a  group  of  executive  committee 
members  for  review.  “It  gave  a  lot  of  people  a 
chance  to  poke  at  the  plan,”  says  Davis.  “We 
got  cross-functional  input  about  what  was 
feasible,  and  what  should  the  experience  in 
the  end  be  for  customers.  ” 

Davis  helped  form  a  team  with  equal  num¬ 
bers  of  people  from  each  bank  to  vet  both 
banks’  technologies.  Because  the  banks  agreed 
to  merge  as  equals,  they  didn’t  begin  with  an 
assumption  that  one  bank’s  technology  was 
better  than  the  other’s.  To  discourage  territo¬ 


rial  decision-making,  Thompson  attended  the 
first  meeting  about  system  selection,  remind¬ 
ing  the  assembled  troops  that  even  though 
they  came  from  different  banks,  now  they 
were  on  the  same  team  and  their  task  was  to 
make  good  business  decisions. 

First  Union  and  Wachovia  IT  executives 
systematically  evaluated  both  banks’  tech¬ 
nologies,  considering  scalability  to  support 
future  growth,  business  functionality,  ability 
to  support  the  bank  strategically  after  the 
merger  and  how  all  the  technology  would  be 


integrated.  Risk,  cost  and  ongoing  support 
requirements  also  factored  into  the  equation. 

Let  Customer  Needs 
Drive  Technology  Choices 

he  vetting  process  revealed  that  most  of 
their  technologies  had  equivalent  func¬ 
tionality,  so  Davis  and  her  team  applied  the 
customer  impact  litmus  test  and  ended  up 
favoring  First  Union  systems  so  that  fewer  cus¬ 
tomers  would  be  at  risk  for  disruption.  But 
there  were  a  few  notable  exceptions. 


www.cio.com  •  APRIL  1,  2004  CIO  71 


Customer  Relationship  Management 


Wachovia’s  image  archive  system  was  deemed 
more  advanced,  so  First  Union’s  archive  was 
migrated  to  Wachovia’s.  The  combined  hank 
also  scrapped  both  institutions’  outdated  teller 
systems  in  favor  of  new  technology  that  shaves 
25  to  30  seconds  off  each  transaction.  But 
upgrades  were  considered  carefully,  since  they 
added  time  and  risk  to  the  integration  process. 
“We  needed  to  make  sure  we  delivered  what 
the  customer  wanted  and  didn’t  get  carried 
away  with  what  would  he  slick,”  says 
Wachovia  CIO  of  Retail  and  Channel  Tech¬ 
nology  Joseph  Monk.  In  three  or  four 
months,  the  team  had  made  its  selections,  and 
of  about  1 00  decisions,  only  one  or  two  were 
even  contested. 

“Just  doing  a  merger  is  difficult,  let  alone 
trying  to  upgrade  systems,”  saysTubin.  “The 
easiest  way  is  just  to  stick  with  what  you  have. 
With  that  type  of  merger,  the  acquiring  bank 
just  gets  big  data  files  of  customers  from  the 
acquired  bank  and  maps  and  moves  them  to 
its  own  systems.”  And  in  fact,  that’s  exactly 
what  most  acquiring  banks  do — including 
Southwest  Bank  of  Texas  and  Citizens.  Citi¬ 
zens  CIO  William  Wray  says  one  set  of  core 
systems  generally  offers  no  competitive 
advantage  over  another,  so  it  makes  sense  to 
minimize  infrastructure  costs  by  moving  the 
smaller  bank  to  the  larger  bank’s  systems. 

But  bigger  is  not  always  better.  Fleet  was 
widely  criticized  for  foisting  older,  elunkier  (but 
already  paid  for  and  amortized)  technology  on 
BankBoston  when  the  two  banks  merged  in 
1999.  Although  it  was  a  business  decision 
necessitated  by  the  need  for  speed,  that  choice 
annoyed  many  of  the  affluent,  tech-savvy 
BankBoston  customers  accustomed  to  more 
sophisticated  ATM  features.  And  former 
BankBoston  tellers  weren’t  happy  being  forced 
to  use  branch  technology  that  was  older  than 


what  they  were  used  to.  Tubin,  who  describes 
Fleet’s  approach  as  pure  “acquisition  mental¬ 
ity,”  sums  up  the  logic  this  way:  “What  you 
have  is  nice,  but  it’ll  be  a  lot  easier  if  we  take 
your  customers,  move  them  to  our  systems  and 
worry  about  moving  to  better  systems  later.” 
Fleet’s  disgruntled  customers  went  elsewhere 
as  the  customer  attrition  rate  reportedly  soared 
as  high  as  25  percent. 

Embrace  Details— 
and  Test  Like  Mad 

he  integration  of  two  banks’  IT  systems 
and  the  mapping  and  transferring  of  the 
acquired  bank’s  customer  data  is  a  painstak¬ 
ing,  tedious  task.  “There  are  literally  thou¬ 
sands  and  thousands  of  pieces  of  data  that  need 
to  be  looked  at  and  touched  and  evaluated  to 
understand  how  to  merge  those  systems 
together,”  says  Dennis  Rygwalski,  former  CIO 
of  FleetBoston  and  now  general  manager  of 
financial  solutions  at  Exigen.  That  means 
going  through  each  field  in  each  database  and 
figuring  out,  for  example,  what  the  “average 
account  balance”  means  on  each  system. 

Experienced  acquirers  have  got  the  inte¬ 
gration  process  down  to  a  science  and  thor¬ 
oughly  documented.  “We  have  done  enough 
mergers,  so  we  have  a  pretty  good  sense  of 
where  problems  might  occur  and  a  well- 
planned  data-mapping  process,”  says  Wray 
at  Citizens.  Citizens  and  Southwest  Bank  of 
Texas  conduct  operational  reviews  at  the  end 
of  each  merger  to  look  for  improvements  to 
the  merger  process.  After  a  merger  in  which 
the  volume  of  customer  calls  and  website  vis¬ 
its  to  check  account  balances  reached  the 
upper  range  of  what  had  been  expected  in  the 
first  few  weeks,  the  operational  review 
unearthed  the  idea  of  tapping  into  Southwest 
Bank’s  disaster  recovery  facility.  By  putting 


that  facility  into  production  mode  for  the  first 
few  weeks  after  a  conversion,  the  bank  could 
avoid  paying  for  extra  bandwidth  to  handle 
predictable  spikes  in  volume. 

Some  banks,  however,  used  to  skip  inte¬ 
gration  testing.  The  prevailing  mentality  on 
conversion  teams,  saysTubin,  was  “f**k  it  up 
and  fix  it  fast.  ”  Teams  used  to  j ust  go  live  with 
conversions  and  have  knowledgeable  staff 
ready  to  fix  problems  as  soon  as  they  surfaced. 

Now  that  technology  has  gotten  more 
complicated  and  banks  are  striving  for  no 
merger-related  customer  attrition,  experts  rec¬ 
ommend  testing  each  application  as  well  as 
how  individual  applications  talk  to  each 
other.  It’s  also  important  to  run  mock  conver¬ 
sions  before  going  live.  “We  knew  from  bad 
experience  that  if  we  didn’t  adequately  test, 
our  customers  would  test  for  us,  and  our  cus¬ 
tomers  would  be  telling  us  what  was  wrong,” 
says  Wachovia’s  Davis.  For  example,  in  a  pre¬ 
vious  merger,  customers  complained  that  loan 
payments  weren’t  getting  applied  to  their 
accounts  because  a  bug  in  the  cross-reference 
system  prevented  the  system  attempting  to 
apply  the  payment  from  accessing  the  cus¬ 
tomer’s  newly  assigned  account  number.  For 
the  Wachovia  and  First  Union  merger,  Davis’s 
team  conducted  six  months  of  testing,  run¬ 
ning  three  mock  conversions  for  each  of  the 
four  deposit  system  conversions.  Through 
such  rigorous  testing,  they  found  literally  hun¬ 
dreds  of  errors — and  corrected  them  before 
they  could  affect  customers. 

Don’t  Skimp  on  Training 

ifficult  as  it  is  to  keep  track  of  every  tech¬ 
nical  detail,  people  issues — not  techni¬ 
cal  issues — are  the  hardest  part  of  merger 
integration,  says  Wray,  who  has  overseen 
eight  of  Citizens’  23  mergers.  “Technology  is 


It  wasn’t  about  a  time  line  being  as  quick  as  it  could  possibly 
be.  It  was  not  about  making  it  as  cheap  as  it  could  possibly  be. 
It  was  always,  ‘What  will  the  customer  get?’ 

-JEAN  DAVIS,  SENIOR  EXECUTIVE  VP  AND  HEAD  OF  I.T.,  WACHOVIA 


72  CIO  APRIL  1,  2004  •  www.cio.com 


If  there’s  no  centralized  control,  inappropriate  decisions  are 
made— decisions  that  are  good  for  somebody’s  career  but 
not  necessarily  good  for  customers,  the  bank  or  shareholders. 

-JIM  ECKENRODE,  VP  OF  CONSUMER  BANKING  RESEARCH,  TOWERGROUP 


necessary;  you  can’t  screw  it  up,”  he  says.  “But 
it  can’t  ensure  success.  You  can  have  a  very 
clean  technical  experience  but  a  miserable 
customer  experience  if  branches  don’t  answer 
questions  properly.”  He  says  that  even  if  the 
technology  is  working,  if  branch  employees 
are  unhappy — or  simply  uncertain — with  the 
new  system,  it’s  tough  for  them  to  provide 
good  customer  service. 

When  Fleet  merged  with  BankBoston,  Fleet 
was  forced  to  sell  off  many  of  its  branches.  So 
the  Monday  after  conversion,  most  of  its 
branches  in  the  Boston  area  were  staffed  by 
former  BankBoston  employees  struggling  on 
legacy  Fleet  technology  on  which  they  hadn’t 
been  adequately  trained.  “People  in  branches 
didn’t  know  how  to  use  it,”  says  Eckenrode. 
“There  were  lines  out  the  door.  And  tellers 
were  complaining  that  the  systems  they  inher¬ 
ited  were  slower,  older — a  disaster.”  Second 
Curve’s  Brown  recalls  witnessing  a  near  fight 
between  a  frustrated  customer  and  a  teller  the 
week  after  the  conversion. 

To  ensure  that  tellers  get  enough  training 
and  support  to  feel  comfortable  by  the  con¬ 
version  date,  Citizens  puts  experienced  Citi¬ 
zens  employees  it  calls  “branch  buddies”  into 
the  new  branches  for  at  least  a  week  after  each 
conversion.  Wachovia  went  further,  perma¬ 
nently  moving  experienced  First  Union 
employees  into  legacy  Wachovia  branches  a 


Why  Wachovia  Gets  It  Right 


A  mismanaged  bank  merger  can  earn  such 
unprofitable  results  as  a  loss  of  one  in  five 
customers.  So  what  did  Wachovia  do  to  earn 
itself  a  steady  customer  base?  Hint:  Stay  in 
touch  with  your  customers  and  share  with 
your  staff.  Find  the  full  story  in  the  box 
WHY  WACHOVIA  GETS  IT  RIGHT  in  the  online 
version  of  this  feature,  or  go  to 
www.cio.com/printlinks 

cio.com 


full  four  months  before  conversion.  In  addi¬ 
tion  to  this  preconversion  “cross  pollination,” 
Wachovia  sent  teams  of  experienced  users  to 
the  branches  right  after  they  converted.  When 
customer  satisfaction  data  indicated  that  cus¬ 
tomer  wait  times  were  up,  Wachovia 
increased  the  length  of  time  that  the  teams 
stayed  from  one  week  to  three. 

Think  Phases,  Not  Big  Bang 

he  big  bang  approach  to  system  conver¬ 
sions  is  popular  among  acquiring  banks 
eager  to  slash  costs  quickly.  The  Bank  of 
America  and  Fleet  deal,  for  example,  is  sup¬ 
posed  to  wring  out  $1.1  billion  in  costs. 
Although  this  strategy  often  works  well  when 
a  very  large  bank  acquires  a  smaller  bank,  it’s 
not  recommended  for  banks  with  compara¬ 
ble  sizes.  The  bigger  the  merger,  the  bigger  the 
risk  that  something  will  go  wrong  when  you 
try  to  convert  all  branches  to  the  same  set  of 
systems  over  one  weekend.  For  banks  with¬ 
out  time  for  a  phased  approach,  thorough  test¬ 
ing  and  mock  conversions  are  critical,  says 
TowerGroup’s  Tubin,  as  is  using  a  project 
management  office  to  oversee  the  integration 
effort.  Brown  says  if  you  don’t  have  time  for  a 
phased  approach,  don’t  do  the  deal. 

Because  the  Wachovia  and  First  Union  deal 
was  a  merger  of  equals,  the  new  bank  was  not 
under  pressure  from  Wall  Street  to  take  dra¬ 
conian  measures  to  slash  costs  quickly  to 
make  the  deal  pay  off.  Given  the  luxury  of 
time,  Davis  says,  the  banks  were  able  to  plot  a 
“sensible”  time  line  for  systems  conversion. 
They  divided  the  project  into  four  regional 
conversions  (Florida,  Georgia,  the  Carolinas, 
then  the  mid-Atlantic  region),  carried  out  over 
a  1 5-month  window.  Wachovia  set  up  a  Y2K- 
like  command  center  for  each  regional  con¬ 
version  and  used  a  huge  spreadsheet  to  track 


customer  issues  as  they  arose.  For  each  issue, 
command  center  staff  labeled  it  major,  minor 
or  medium,  noted  the  number  of  customers 
affected,  and  immediately  assigned  it  to  a  team 
for  resolution.  Most  were  resolved  within 
hours.  Processes  were  fine-tuned  with  each 
successive  conversion;  by  the  fourth,  Davis 
reports,  everything  went  perfectly. 

CEO  Thompson  sat  in  on  the  final  prepa¬ 
ration  meetings  preceding  three  of  the  four 
regional  conversions.  And  Davis  held  off  on 
merger-related  layoffs  until  after  the  conver¬ 
sion  to  ensure  that  the  staff  who  knew  the 
legacy  systems  best  were  there  to  keep  them 
running  until  every  last  customer  was  con¬ 
verted  to  the  combined  bank’s  systems. 

In  the  end,  there  were  no  lines  out  the  door, 
no  headlines  about  bad  customer  service.  And 
in  a  merger,  no  news  is  the  best  possible  news. 

Customer  focus  shouldn’t,  of  course,  end 
once  the  merger  wraps  up.  At  Wachovia, 
Thompson  chairs  monthly  meetings  to  review 
the  company’s  customer  service  ratings  and 
calls  on  senior  executives  to  explain  how 
they’re  addressing  customer  service  problems 
within  their  groups.  And  today,  even  the  heads 
of  lines  of  business  are  pushing  Davis  to 
develop  a  more  holistic  view  of  customers 
that’s  defined  by  customer  preferences  rather 
than  by  lines  of  business.  Monk  is  at  work  on 
the  project  now. 

“The  merger  has  been  completed,  and  we 
haven’t  lost  sight  of  the  importance  of  the  cus¬ 
tomer,”  says  Monk.  And  with  Wachovia 
reporting  that  for  every  100  customers  lost, 
128  are  gained,  Wachovia  is  not  likely  to 
change  its  strategy  any  time  soon.  EEI 


Send  your  customer  relationship  management 
stories  to  Senior  Editor  Alice  Dragoon  via  e-mail  at 
adragoon@cio.  com . 


www.cio.com  •  APRIL  1,  2004  CIO  73 


Q&A 


Howard  Gardner 


Howard  Gardner  says  it  is  possible  to  get  others 
to  see  things  differently.  But  as  the  Harvard  pro¬ 
fessor  tells  CIO  Senior  Editor  Edward  Prewitt,  it 
takes  perseverance  and  finesse. 

amed  Harvard  psychologist  Howard  Gardner,  noted  for  his  theory  of  multiple 
intelligences,  recently  published  Changing  Minds:  The  Art  and  Science  of  Chang¬ 
ing  Our  Own  and  Other  People’s  Minds  (Harvard  Business  School  Press,  2004). 
This  quick,  enjoyable  read  outlines  Gardner’s  research  and  thinking  on  how  best  to 
convince  others  (or  yourself)  to  adopt  a  different  viewpoint  in  various  set¬ 
tings,  including  business.  Gardner  sat  down  with  CIO  to  talk  about  the  dif¬ 
ficulties  inherent  in  the  process  of  changing  someone’s  mind  and  the  seven  “levers” 
by  which  leaders  can  accomplish  it. 


74  CIO  APRIL  1,  2004  •  www.cio.com 


PHOTOGRAPHY  BY  CHRISTOPHER  HARTING 


Q&A 


Howard  Gardner 


CIO:  Describe  the  “mind-changing  paradox”  referred  to  in 
your  book. 

Howard  Gardner:  People  underestimate  how  difficult  it  is  to  change 
minds.  The  mind-changing  paradox  is  my  attempt  to  capture  that. 
When  you’re  little,  your  mind  changes  pretty  readily,  even  if  nobody 
pushes  it.  We  are  natural  mind-changing  entities  until  we  are  1 0  or  so. 
But  as  we  get  older  and  have  acquired  more  formal  and  informal  knowl¬ 
edge,  then  it’s  very,  very  hard  to  change  our  minds.  Which  doesn’t  mean 
you  should  give  up.  It  means  you  need  to  be  intelligent  and  strategic 
about  it  and  persevering. 

I’m  not  stating  that  on  small  matters  it’s  difficult  to  change  people’s 
minds.  A  coffee  break  at  3:00  rather  than  1:00 — that’s  trivial.  But  on 
fundamental  ideas  on  how  the  world  works,  about  what  your  enter¬ 
prise  is  about,  about  what  your  life  goals  are,  about  what  it  takes  to 
survive — it’s  on  these  topics  that  it’s  very  difficult  to  change  people’s 
minds.  Most  people,  by  the  time  they’re  adults,  not  only  have  become 
used  to  a  certain  way  of  thinking,  but  in  a  sense  it’s  work  for  them  [to 
change]  because  their  neural  pathways  become  set. 

[For  a  leader]  to  say  it’s  a  new  ball  game,  that  [employees]  have  to 
make  different  kinds  of  assumptions,  that  the  usual  procedures  and  the 
usual  rewards  and  the  usual  skills 
are  not  adequate  or  are  mis¬ 
placed — this  is  really  calling  for  a 
revisiting  of  fundamentals  [on  the 
part  of  employees].  And  it’s  very 
hard  to  revisit  fundamentals. 

For  instance,  when  British  Petro¬ 
leum  says,  “We’re  no  longer  in  the 
energy  business,  we’re  in  the  blah- 
blah  business,”  an  employee  may 
very  well  say,  “That’s  wrong.  We  are  in  the  energy  business,  and  we  have 
been  for  a  hundred  years.  And  who’s  this  guy  coming  out  and  saying  we’re 
in  the  blah-blah  business?”  That’s  hard  [for  leaders]  to  overcome. 

What  are  the  most  important  of  your  mind-changing  levers? 

It  all  depends  on  the  situation,  on  whether  you’re  talking  about  employ¬ 
ees  in  a  company  or  lovers  or  antagonists  or  your  own  mind. 

But  there  are  at  least  two  things  whose  importance  is  underestimated. 
One  is  the  lever  of  what  I  call  representational  redescriptions.  Get  the  mes¬ 
sage  out  in  lots  and  lots  of  different  ways,  lots  of  different  symbol  systems, 
lots  of  different  intelligences  and  lots  of  different  embodiments.  The  notion 
that  you  say  it  once  and  it  gets  through  is  just  wrong.  So  is  the  notion  that 
you  can  simply  repeat  yourself.  You  have  to  be  extremely  resourceful  in 
finding  diverse  ways  to  get  the  same  desired  mind-change  across. 

The  second  [most  important]  thing  is  that  people  underestimate  just 
how  powerful  resistances  are.  There  are  three  factors  involved  in  resist¬ 
ances:  age,  emotion  and  public  stance.  First  of  all,  the  longer  your  neu¬ 
ral  networks  have  been  running  one  way,  the  harder  it  is  to  rewire  them. 
Unfortunately,  that’s  j  ust  a  fact  of  life.  Number  two,  the  things  that  you 
feel  very  strongly  about  emotionally  are  the  hardest  to  change  your 


mind  about.  And  three,  particularly  for  people  who  are  in  public  life, 
are  things  on  which  you’ve  taken  a  public  stand.  That’s  hard  to  reverse. 

You  say  it’s  relatively  easy  to  change  the  minds  of  employ¬ 
ees,  even  those  who  work  for  large  companies. 

Easier,  not  easy,  I  would  say.  There’s  a  distinction  between  leading  a 
nation,  leading  a  sprawling  company  and  leading  a  more  focused  com¬ 
pany  like,  say,  Microsoft.  The  more  the  company  is  homogeneous,  in 
the  sense  that  the  people  have  the  same  type  of  training  and  the  same 
kind  of  background,  the  more  you  can  approach  these  things  at  a  con¬ 
ceptual  and  theoretical  level. 

Any  CEO  or  CIO  needs  to  make  a  distinction  between  the  times  he 
or  she  is  addressing  a  rather  heterogeneous  group — say,  everybody 
who  works  for  Wal-Mart — as  opposed  to  dealing  with  top  manage¬ 
ment.  It’s  a  matter  of  identifying  and  speaking  to  your  audience.  Think 
about  what  you’re  doing  when  you’re  dealing  with  the  whole  organiza¬ 
tion,  and  what  you’re  doing  when  you’re  dealing  with  a  homogeneous 
group — which  is  most  likely  to  be  the  people  in  your  immediate  circle,  but 
it  could  be  a  very  different  group  as  long  as  they’re  homogeneous.  It  could 
be  all  the  technical  people  working  in  the  same  corner,  it  could  be  the 

people  in  charge  of  the  website — 
they  all  have  the  same  expertise. 

How  much  of  changing 
minds  is  manipulation? 

I  don’t  believe  behavior  change 
lasts  unless  people’s  minds  change 
voluntarily.  I’m  interested  in  lead¬ 
ership  that’s  overt  and  mind¬ 
changing  that’s  intentional. 

People  often  way  overemphasize  how  much  they  have  to  keep  things 
a  secret  and  manipulate  people.  To  be  sure,  there’s  evidence  that  in  the 
short  run,  it’s  much  more  effective  to  be  deceptive.  Many  people  think 
they  have  to  deceive  in  the  short  run.  But  in  the  long  run,  people  and 
companies  get  found  out.  Ultimately,  manipulation  backfires. 

You  say  that  stories  are  one  of  the  most  effective  ways  for 
changing  minds  in  organizations.  What  kinds  of  stories? 

When  I  say  story  or  narrative,  I  have  a  pretty  elaborate  definition.  There 
has  to  be  a  protagonist.  There  have  to  be  goals.  There  have  to  be  obsta¬ 
cles  people  can  identify  with.  There  has  to  be  an  ultimate  resolution — 
hopefully  a  positive  one.  It’s  not  the  same  as  having  a  message  or  a  vision 
or  a  slogan.  It’s  a  more  encompass¬ 
ing,  realistic,  enveloping  thing. 

The  overall  narrative  of  your 
story  is  so  important.  Basically,  what 
leaders  of  organizations  ask  [you  the 
employee]  to  do  is  put  aside  or  reject 
the  story  you  have  grown  up  with, 
believed  in,  internalized  and  seen 


I  don’t  believe  behavior 
change  lasts  unless  people’s 
minds  change  voluntarily. 

-Howard  Gardner 


Peer  Resources 


More  to  Mine  on  the  Mind 

Still  need  convincing?  Read 
an  excerpt  from  Howard 
Gardner's  book.  CHANGING 
DIRECTIONS  AT  BP  can  be 
found  on  CIO's  sister  website. 
www.darwinmag.com 


76  CIO  APRIL  1,  2004  •  www.cio.com 


yourself  as  a  character  in.  Leaders  say,  “No,  it’s  a  different  story.  You 
may  not  like  it  initially,  but  it’s  a  better  story  in  the  long  run,  and  you 
have  to  go  with  it,  and  here’s  why,  and  I’m  going  to  show  you  by  my  own 
behavior  that  it’s  important.” 

Usually  the  people  best  at  dissolving  resistances  are  the  ones  who 
have  the  same  resistances  themselves — because  they  know  in  their  gut 
how  powerful  they  are. 

Besides  changing  the  minds  of  their  staffs,  CIOs  have  to 
convince  CEOs  and  other  top  officers  of  their  goals. 

When  it’s  two  people  talking,  resonance  is  the  key  factor.  There  is  no  gen¬ 
eral  recipe  for  resonance;  you  have  to  know  your  audience  well  enough  to 
know  what’s  going  to  resonate  with  this  person  on  this  day.  If  you  want  to 
bring  about  a  change  in  the  CEO,  you  have  to  know  him  or  her  very  well. 

You  need  to  do  your  homework  before  you  get  into  that  one-on-one 
situation.  You  need  to  know  if  this  person  is  a  story  person,  a  theory  per¬ 
son,  an  emotion  person  or  a  paranoid  person.  You  need  to  know  what 
are  the  sets  of  levers  that  work  with  him.  And  to  the  extent  that  it’s  a  very 
high-stakes  performance — this  is  your  two  minutes,  you  have  to  make 
the  case  now  or  never — you’ve  got  to  be  monitoring  very  carefully. 

How  can  CIOs  respond  to  unrealistic  expectations? 

The  most  important  levers  are,  again,  representational  redescriptions 
and  resistances,  and  let  me  add  a  third  one,  “real  world.”  First  is  just 
trying  lots  and  lots  of  ways  to  say  your  message.  Give  your  message  in 
more  than  one  way,  arranging  things  so  the  [listener]  has  a  different 
experience.  That’s  what  having  a  drink  after  work  with  someone  is 
about.  A  few  times  in  my  life,  I  engineered  to  get  a  seat  on  an  airplane  next 
to  somebody  I  wanted  to  convince  about  something,  because  it’s  a  dif¬ 
ferent  setting  when  the  usual  assumptions  and  resistances  may  be  idling. 

Never  assume  just  because  people  seem  convinced  that  the  battle  is 
totally  won.  You  have  to  think  about  it  as  a  military  or  political  cam¬ 
paign;  it’s  a  long  process,  not  a  single  battle. 

You’ve  got  to  be  on  your  toes  all  the  time  to  buoy  your  particular 
representation  of  things  and  undermine  the  others’  versions  of  things. 
That’s  where  real  world  comes  in.  Take  advantage  of  real-world  events; 
use  newspaper  clippings,  studies,  testimonials — any  examples  of  com¬ 
panies  that  did  something  and  it  didn’t  work  and  why. 

Most  important,  even  if  you’ve  convinced  someone  of  your  case, 
one  of  the  things  we  know  from  cognitive  science  is  that  there’s  always 
backsliding.  You  have  to  reinforce  your  message  in  as  many  different 
ways  over  as  long  a  period  of  time  as  possible. 

Does  your  framework  for  changing  minds  work  in 
every  instance? 

Sometimes  you’re  not  going  to  change  people’s  minds.  Then  you  have  to 
make  a  choice.  There  are  four  things  you  can  do:  quit;  do  what  you’re 
told;  do  guerrilla  work,  which  is  where  you  nod  your  head  but  then  do 
what  you  want  to  do;  or  you  can  change  the  entity,  work  to  change  the 
organization  into  one  that  fits  your  goal. 


Seven  Ways  to  Effect  Change 

Looking  to  influence  a  CEO  or  colleague? 

Put  these  mind-changing  tools  in  your  arsenal. 

It's  very  difficult  to  change  the  minds  of  adults  on  any  issue  of 
significance,  says  author  and  Harvard  psychologist  Howard  Gard¬ 
ner.  But  the  highest  probability  of  a  lasting  change  of  opinion  comes 
when  the  first  six  "levers"  below  are  in  concert,  and  the  seventh 
factor,  resistances,  is  low. 

1.  REASON  The  rational  approach,  involving  identifying  relevant 
factors  and  weighing  them.  This  lever  is  especially  important 
among  those  who  deem  themselves  to  be  educated. 

2.  RESEARCH  Complementing  the  use  of  rational  argument  isthe 
collection  of  data,  which  is  used  to  test  trends  or  assertions. 

3.  RESONANCE  Whereas  reason  and  research  appeal  to  the  cogni¬ 
tive  mind,  resonance  refers  to  emotions.  An  opinion  or  idea  res¬ 
onates  when  it  just  "feels  right"  to  a  person. 

4.  REPRESENTATIONAL  REDESCRIPTIONS  The  repetition  of  a 
point  of  view  in  many  different  forms— linguistic,  numerical  or 
graphic— to  reinforce  the  message  is  one  of  the  most  important 
levers  for  changing  people’s  minds,  Gardner  says. 

5.  RESOURCES  AND  REWARDS  Money  and  other  resources  can  be 
applied  directly  (as  a  bonus,  forexample)  or  indirectly  (as  a  dona¬ 
tion  to  a  charity  as  long  as  the  philanthropist’s  wishes  are  adopted). 
Unless  resources  and  rewards  work  together  with  other  mind¬ 
changing  levers,  however,  a  new  course  of  thought  is  unlikely  to 
last  when  the  money  runs  out. 

6.  REAL-WORLD  EVENTS  The  use  of  news  stories  and  events  to 
bolster  one’s  perspective  can  be  effective  in  changing  minds.  Some 
real-world  events,  such  as  the  9/11  terrorist  attacks,  can  affect  so 
many  people  so  deeply  that  they  cause  a  mass  change  of  mind. 

7.  RESISTANCES  Barriers  to  changing  one’s  mind  are  created  by 

age  (as  people  get  older,  their  neural  pathways  are  less  susceptible 
to  alteration),  the  emotion  that  a  topic  creates  and  the  public  stand 
one  has  previously  taken  on  a  topic.  -E.P. 


Fundamentalism  is  a  kind  of  a  decision  to  not  change  your  mind 
about  something.  We  tend  to  think  of  fundamentalism  in  religious 
terms,  but  many  of  us  are  fundamentalists  (for  example,  in  our  assump¬ 
tions  about  work  or  family)  because  it’s  worked  pretty  well  for  us. 

One  thing  to  consider  is  what  you’re  a  fundamentalist  about.  Are 
you  open  to  changing  your  own  mind?  I  wouldn’t  have  any  faith  in  a 
leader  who  said  that  he  should  never  change  his  mind.  On  the  other 
hand,  I  think  there  are  some  basic  values  where  people  ought  to  be  very 
judicious  about  changing  their  minds.  HE] 


www.cio.com  •  APRIL  1.  2004  CIO  77 


PHOTO-ILLUSTRATIONS  BY  STEPHEN  WEBSTER 


The  CIO  Role 


At  companies  notorious  for  burning  through 
CIOs,  your  credibility  and  effectiveness  are  in 
question  the  moment  you  walk  through  the  door 


r 


BY  BEN  WORTHEN 


At  Ecolab,  Rob  Tabb  is  the  13th  head  of  IT  in  26  years,  according  to  a  longtime 
employee.  This  turnover  rate  is  even  more  stunning  considering  that  the  CEO  has 
been  with  the  $3.4  billion  chemical  company  for  more  than  45  years  and  that  most 
of  the  other  executives  have  fairly  long  tenures.  The  CFO,  the  heads  of  human 
resources  and  global  operations,  and  the  president  of  the  international  sector  all 
have  at  least  seven  years  under  their  belts.  The  COO  joined  three  years  ago  but  has 
already  been  promoted  to  president.  It's  just  the  CIOs  who  don't  stick.  Number  12, 
Jeff  Kubacki,  arrived  in  November  2002— a  few  weeks  before  number  11  was  put 
out  to  pasture— and  served  as  interim  CIO  for  almost  a  year.  Tabb,  formerly  vice 
president  of  IT  at  Nike,  became  IT  head  number  13  in  October  2003. 

Tabb  and  Kubacki,  who  is  now  the  vice  president  of  global  infrastructure  and 
operations  (reporting  to  Tabb),  realized  that  before  they  could  start  any  of  the 
strategic  projects  that  are  the  cornerstone  of  a  good  IT  department,  they  had  to 
figure  out  a  way  to  stop  the  CIO  turnover.  After  all,  no  one  in  the  company— neither 
the  business  executives  nor  the  IT  rank  and  file— would  sign  on  to  the  plans  if  they 
thought  the  CIO  turnstile  was  still  spinning. 

As  their  predecessors  at  Ecolab  proved,  it  can 
sometimes  be  tough  for  CIOs  to  stay  put.  While 
the  CIO  position  is  generally  more  stable  than  it 
used  to  be,  CIO  churn  isn’t  all  that  uncommon. 

Lots  of  companies  have  experienced  it  to  a 
degree,  and  some  are  veritable  revolving  doors 
for  IT  execs  (see  "Musical  Chairs  for  CIOs,"  Page 
81).  It  can  happen  for  many  reasons:  inadequate 


Reader  ROI 

►  Why  some  companies  turn 
over  CIOs  at  a  high  rate 

►  Two  keys  to  stopping  the 
turnstile 

►  Why  “CIO  churn"  will 
eventually  cease 


www.cio.com  •  APRIL  1,  2004 


CIO  7  9 


The  CIO  Role 


“Allow  Me  to  Introduce  Myself” 

How  to  find  your  way  in  a  new  job 

COMPANIES  WITHOUT  A  HISTORY  of  strong  IT  leadership  often  don’t  really  know  what  a 
CIO  does  or  howto  incorporate  one  into  the  organization.  ING  Americas  CTO  Raymond 
Karrenbauer  says  that  a  strange  ritual  developed  during  his  first  weeks  on  the  job  in  2001. 
“Each  morning,  people  from  legal,  HR,  finance  and  sales  kept  coming  into  my  office,"  he 
recalls.  “I  assumed  that  they  were  going  to  welcome  me  on  board  and  say,  Nice  to  meet  you.” 
Instead,  they  all  asked  him  if  he  had  heard  about  the  latest  whiz-bang  tool  for  content  man¬ 
agement,  CRM  or  whatever  piece  of  software  the  visitor  thought  would  best  help  his  depart¬ 
ment.  “It  was  frustrating,"  Karrenbauer  says.  “They  didn’t  realize  that  this  is  what  I  do." 

Rather  than  explain  over  and  over  again  that,  yes,  it  was  his  job  to  know  technology, 
Karrenbauer  decided  to  give  these  executives  a  taste  of  their  own  medicine.  He  searched 
for  and  printed  out  the  latest  articles  on  new  marketing  techniques  and  financial  law 
changes,  brought  them  to  the  offending  executives’  offices  and  asked  them  if  they  had 
heard  about  the  new  material.  “I  did  this  every  morning  fortwo  weeks,"  he  says  gleefully. 
They  got  the  message:  Give  me  a  chance  to  do  my  job. 

Larry  Bonfante,  CIO  of  the  United  States  Tennis  Association  (USTA),  advises  incoming 
CIOs  to  find  out  how  their  new  organizations  really  work.  But  knowing  who  to  turn  to  isn't 
always  obvious,  and  the  obvious  answer  may  be  wrong.  When  Bonfante  first  arrived  at  the 
USTA,  he  watched  carefully,  trying  to  see  how  things  really  got  done— and  by  whom. 

“There  is  formal  power  and  informal  power,"  he  explains.  The  CEO  and  CFO  fall  into  the 
former  category,  but  the  latter  can’t  be  overlooked. 

The  trick  is  to  identify  whom  people  go  to  when  they  need  to  get  things  done.  It  could  be 
a  midlevel  manager  or  even  an  administrator.  “Take  these  people  out  to  lunch  and  find  out 
how  they  make  things  happen,"  says  Bonfante. 

It  is  important  to  establish  yourself  early.  RobTabb,  Ecolab’s  vice  president  and  CIO, 
thinks  the  first  six  months  set  the  tone  for  the  rest  of  a  CIO’s  tenure.  That’s  the  same 
amount  of  time  that  new  leaders  take  to  reach  what  Harvard  Business  School  associate 
professor  Michael  Watkins  calls  the  break-even  point:  the  place  on  the  learning  curve  at 
which  they  start  creating  net  value  for  their  organizations.  If  you  take  any  longer  than  that 
to  demonstrate  your  worth  to  the  organization,  that  revolving  door  for  CIOs  just  might  hit 
you  from  behind.  -B.W. 


CIOs,  dysfunctional  cultures,  and  mergers  and 
acquisitions.  Each  instance  may  have  a  good 
reason,  but  the  big  picture  shows  a  high  rate  of 
CIO  turnover  is  bad  for  the  organization,  and 
it  creates  a  challenge  for  any  IT  leader  brave 
(or  foolhardy)  enough  to  boldly  go  where 
many  have  come  and  gone  before. 

“A  lot  of  these  positions  are  set  up  to  fail,” 
says  Larry  Bonfante,  the  fourth  CIO  in  10 
years  at  the  United  States  Tennis  Association 
(USTA).  The  problems  at  companies  that  have 
experienced  CIO  churn  are  systemic — the 
business  doesn’t  understand  IT  just  as  much 
as  IT  doesn’t  get  the  business.  The  result  can  be 
a  catch-22:  High-profile  CIOs  won’t  take  the 
job,  and  lower-profile  CIOs  don’t  immedi¬ 
ately  command  the  respect  necessary  to  turn 
the  position  around. 

But  IT  leaders  such  as  Bonfante  who  have 
walked  into  companies  with  historically  high 
rates  of  turnover  believe  it’s  possible  to  stop  the 
cycle — and  keep  their  jobs — if  the  CIO  can 
manage  two  things.  The  first  task  is  to  market 
IT  to  other  departments  and  the  rest  of  the 
executive  team,  making  sure  that  they  under¬ 
stand  IT’s  goals  and  accomplishments.  Yes, 
you’ve  heard  it  before,  but  communication 
about  IT  has  never  been  more  important. 
Simultaneously,  the  CIO  must  improve  morale 
in  his  department,  rallying  the  troops  behind  a 
singular  guiding  vision.  Kubacki  believes  that 
CIOs  must  patiently  work  toward  these  two 
ends  before  doing  anything  else. 

Say  It  Once  and  Say  It  Again 

The  reason  for  Ecolab’s  high  CIO  turnover  rate 
was  clear  to  Kubacki  the  first  time  he  met  with 
the  company’s  executive  committee.  “They  all 
said  that  [IT]  spends  too  much  money  and  we 
don’t  get  any  value  for  the  investment,”  he 
recounts.  They  were  right  to  a  certain  extent, 
and  Kubacki  made  it  his  number-one  priority 
to  cut  and  shift  costs.  But  the  comment  also 
showed  that  Ecolab’s  executives  were  more 
aware  of  what  IT  wasn 't  doing  than  what  it 
actually  was  accomplishing.  Kubacki  knew 
that  in  order  to  change  this  perception  he 
would  have  to  improve  communication 
between  IT  and  the  rest  of  the  company. 

And  during  his  first  three  months  on  the  job, 


that’s  what  he  did.  Kubacki  and  Ecolab’s  vice 
president  for  solutions  development  conducted 
extensive  interviews  with  the  company’s  gen¬ 
eral  managers,  asking  each  about  his  percep¬ 
tions  of  IT.  Responses  ranged  from  the 
general — IT  doesn’t  understand  the  business — 
to  the  specific — the  help  desk  isn’t  very  good. 
Kubacki  then  formed  an  IT  steering  committee 
that  included  these  business  leaders,  along  with 
Ecolab’s  COO  and  CFO,  to  discuss  and  help 
formulate  the  company’s  IT  priorities — some¬ 
thing  none  of  his  predecessors  had  done. 

Tabb,  the  current  CTO,  who  also  holds  a 
vice  president  title,  is  at  pains  during  commit¬ 
tee  meetings  to  explain  IT  in  terms  that  busi¬ 
ness  executives  understand.  For  example,  one 


IT  project  that  will  save  the  company  money 
is  standardizing  on  one  kind  of  laptop.  But  the 
executive  committee  doesn’t  care  if  IT  stan¬ 
dardizes  on  laptops — that  doesn’t  materially 
change  the  way  they  do  their  jobs — and  so 
Tabb  just  talks  about  it  briefly  and  only  in 
terms  of  dollars  and  cents. 

The  application  environment  is  another 
story,  however.  Ecolab  has  several  manufac¬ 
turing  systems  and  multiple  finance  systems. 
The  heads  of  the  various  business  units  would 
like  to  be  able  to  cross-promote  and  get  a  uni¬ 
fied  view  of  external  customers,  but  that’s 
impossible  in  the  current  application  envi¬ 
ronment.  Tabb  says  that  application  consoli¬ 
dation  is  the  sort  of  project  that  CIOs  should 


80  CIO  APRIL  1,  2004  •  www.cio.com 


discuss  with  other  execs,  provided  they  stick  to 
the  business  impact — the  cross-promotion 
opportunity.  “Applications  are  complex,”  he 
says.  “But  this  goes  right  to  heart  of  the  busi¬ 
ness  strategy.” 

Discussing  the  business  goal  of  each  IT  proj¬ 
ect  with  the  IT  steering  committee  has  gradu¬ 
ally  helped  business  execs  better  understand 
the  role  IT  plays  in  the  company,  Kubacki  says. 
This,  in  turn,  has  built  trust  and  credibility  for 
IT.  To  make  sure  other  people  through¬ 
out  the  company  also  got  the  message, 
Kubacki  started  sending  out  a  weekly 
multipage  e-mail  newsletter  that  de¬ 
scribes  everything  IT  is  doing  and  how 
it  helps  the  business.  “Someone  in 
finance  recently  said  that  he  felt  weekly 
was  overkill,”  says  Kubacki.  “But  at 
this  point  I  don’t  think  there  is  such  a 
thing  as  overcommunicating” — espe¬ 
cially  if  he  wants  to  keep  his  job.  After 
all,  it’s  harder  to  fire  someone  whom 
you  know  well  than  someone  who’s  a 
remote  presence. 

Lesson  learned:  Be  visible. 

Raymond  Karrenbauer,  CTO  at 
ING  Americas,  the  U.S.  subsidiary  of 
the  $97  billion  Dutch  financial  giant, 
hasn’t  had  to  face  a  revolving-door  role 
per  se,  but  he  joined  the  company  dur¬ 
ing  a  similarly  chaotic  time  in  200 1 ,  as 
ING  Americas  was  centralizing  the  IT 
departments  of  the  20-plus  companies  it  had 
bought  during  the  previous  decade.  His  take: 
No  matter  how  tangled  the  business-IT  dis¬ 
connect  has  become,  “the  CIO  has  the  ability 
to  make  a  difference.  It  is  up  to  him.  But  he 
can’t  just  sit  in  the  back  room  saying,  ‘The 
business  doesn’t  understand.’  You  have  to 
make  them  understand.” 

Karrenbauer  cautions  that  communica¬ 
tion  is  important,  but  making  sure  it  is  the 
right  kind  of  communication  is  even  more 
important.  “Let’s  say  you  walk  some  people 
through  a  data  center,”  he  says.  “They  may 
think  that  it  is  pretty  slick — they  see  some 
lights  flashing — but  they  don’t  understand 
the  complexity  of  what  is  going  on.”  Rather 
than  explain  what  each  little  gizmo  is,  the 
important  thing  is  to  explain  why  the  data 


center  exists,  how  it  works  and  show  its  relia¬ 
bility.  Karrenbauer  uses  the  analogy  of  a  car 
showroom:  Someone  buying  a  car,  he  says, 
wants  to  know  that  it  is  reliable,  that  it  gets 
good  gas  mileage  and  that  it  can  go  zero  to 
60  mph  in  five  seconds.  They  generally  don’t 
look  under  the  hood,  and  they  never  cut  it  in 
half  with  a  chain  saw  so  that  they  can  examine 
each  little  part.  “You  are  buying  a  car  on  met¬ 
rics,”  he  says.  “They  buy  IT  the  same  way.” 


Musical  Chairs  for  CIOs 

Six  organizations  notorious  for 
churning  through  IT  leaders 

Delta  Air  Lines  j  Four  heads  of  IT  came  and 
went  in  seven  years  before  current  CIO  Curtis 
Robb  joined  in  2000. 

Ecolab  |  Current  CIO  Rob  Tabb  is  the  13th 
head  of  IT  in  26  years. 

Gateway  |  The  computermaker  has  had  five 
CIOs  since  1998. 

IRS  Has  gone  through  four  CIOs  in  seven 
years.  (See,  "No  EZ  Fix,”  Page  50.) 

PepsiCo  ;  Pepsi's  Frito-Lay  subsidiary  has 
gone  through  six  CIOs  in  10  years. 

United  States  Tennis  Association  Larry 
Bonfante  is  the  fourth  CIO  in  10  years. 

J 


Rally  the  Troops 

There’s  an  old  sports  cliche  that  comes  up 
whenever  a  bad  team  gets  rid  of  its  coach: 
“Can’t  fire  the  whole  team.”  But  in  one  of  his 
first  acts  as  CIO  of  the  USTA,  Bonfante  did 
fire  the  whole  team.  During  his  first  nine 
months,  he  turned  over  five  of  his  eight- 
person  in-house  staff  and  half  of  his  out¬ 
sourcing  contractors.  The  changes  came  as  a 
shock,  especially  in  an  organization  that  had 
never  experienced  that  kind  of 
turnover  before,  but  “we  had  to  get 
the  right  people  with  the  right  apti¬ 
tude  and  attitude,”  Bonfante  says.  He 
realized  when  he  first  took  over  that, 
no  matter  how  inspiring  his  plans  and 
priorities  might  be,  his  employees 
were  not  conf  ident  that  he  would  last 
any  longer  than  his  four  predecessors. 
Bonfante  made  sure  the  new  team 
shared  his  vision  for  IT  and  had  con¬ 
fidence  that  it  could  succeed. 

In  most  organizations,  though — 
and  certainly  those  the  size  of  Eco¬ 
lab — 75  percent  turnover  of  the  IT 
staff  is  not  an  option.  Thus,  changing 
the  culture  in  an  IT  department  that 
has  experienced  repeated  changes  in 
leadership  needs  to  be  handled  with 
caution,  says  Tabb.  Employees  feel  “a 
cynicism  that  builds  up  over  time,”  he 
says,  which  prevents  them  from  tak¬ 
ing  their  new  bosses  too  seriously.  A  new  CIO 
has  to  win  over  his  employees  if  he  is  going  to 
stop  CIO  churn. 

Tabb  has  observed  that  CIOs  commonly 
made  the  mistake  of  coming  in  and  pressing 
for  immediate  change  without  having  an 
accurate  read  of  the  situation.  This  causes 
employees — who  may  well  be  passionate 
about  the  projects  they  are  already  working 
on — to  lose  energy.  “Nothing  gets  done,  and 
people  look  at  new  projects  with  a  jaundiced 
eye,”  says  Tabb.  The  trick  is  to  encourage 
them  to  continue  the  projects  that  help  the 
company,  while  constructing  a  vision  to  guide 
all  IT  efforts. 

At  Ecolab,  that  vision  is  to  create  a  global 
IS  organization  with  common  objectives. 
Kubacki  inherited  a  decentralized  org  chart,  in 


m 


*  ^ 


i  qe~i  l 


www.cio.com  •  APRIL  1,  2004  CIO  81 


The  CIO  Role 


which  each  business  unit  has  its  own  IT  group 
whose  success  metrics  are  tied  to  the  business 
unit’s  performance.  Kubacki  says  that  in  the 
past,  this  structure  has  caused  the  staff  to  chal¬ 
lenge  the  CIO’s  priorities.  “One  prior  CIO  said 
we  were  going  to  do  global  SAP,  and  the  busi¬ 
ness  units  said.  We  don’t  want  to  do  that,”  he 
recalls.  “Then  the  CIO  said  we  will  do  EAI  and 
a  data  warehouse,”  rather  than  explain  why 
the  original  project  made  sense.  The  current  IT 
priorities  support  the  vision  of  a  unified  depart¬ 
ment,  including  standardizing  on  one  desktop 
and  consolidating  servers,  which  should  ulti¬ 
mately  reduce  IT  costs  and  give  the  department 
more  money  to  invest  in  strategic  projects.  The 
new  administration  says  it  will  stick  to  its  guns 
and  explain  to  its  staff  why  its  decisions  make 
business  sense. 

Karrenbauer  faced  a  similar  challenge 
when  he  joined  ING  Americas  as  part  of  the 
company’s  IT  centralization  project.  Until 
then,  the  corporate  IT  department  consisted  of 
a  handful  of  people  who  were  simply  admin¬ 
istrators;  the  former  CIOs  of  the  acquired 
companies  still  ran  their  fiefdoms.  Karren¬ 
bauer  had  a  vision  to  integrate  and  standard¬ 
ize  the  company’s  IT.  But  he  had  to  win  the 


proverbial  hearts  and  minds  of  the  IT  man¬ 
agers  and  their  staffs  before  he  could  get  them 
to  accept  his  plan.  He  began  what  he  calls  a 
grassroots  campaign,  soliciting  best  practices 
from  each  group.  His  goal  was  to  sell  them  on 
his  architecture  plan  rather  than  simply  order¬ 
ing  changes  that  would  breed  resentment. 
Instead,  he  has  tried  to  let  the  ideas  speak  for 
themselves,  telling  employees  that  if  they  can 
come  up  with  a  better  idea,  the  company  will 
do  it.  So  far,  the  response  from  employees  has 
been  overwhelmingly  positive,  he  says,  which 
has  helped  him  solidify  his  standing. 

Quick  Wins 
Versus  Big  Projects 

On  the  surface,  a  big,  ERP-type  project  may 
seem  like  just  the  sort  of  thing  to  motivate  the 
department — and  ensure  that  you  will  stick 
around  for  the  three  or  so  years  it  takes  to 
complete  it — but  that  is  exactly  what  not  to 
do,  says  Karrenbauer.  “Every  quarter,  you 
need  to  have  credible  wins,”  he  says.  “It  is  no 
different  from  quarterly  earnings.  You  need 
to  show  your  returns.” 

If  you  have  to  tackle  a  large  project  right 
away,  it’s  still  possible  to  show  results  every 


Dead  Man  Walking? 

Why  some  CIO  is  always  up  for  the  challenge 


DESPITE  THE  LESSONS  OF  HISTORY,  someone  always  takes  the  CIO  job  at  compa¬ 
nies  that  have  a  history  of  turning  over  and  tossing  out  IT  executives.  Marc  Lewis, 
president  of  North  America  for  the  executive  search  firm  Morgan  Howard,  writes  it 
off  to  human  nature.  As  a  general  rule,  he  says,  executives  are  title-driven.  "When 
a  marquee-sounding  job  comes  up,  few  have  the  courage  to  turn  it  down,”  he  says. 

IT  leaders  who  have  accepted  these  jobs  deflect  questions  about  the  positions’ 
history.  Jeff  Kubacki,  vice  president  of  global  infrastructure  and  operations  at  Eco- 
lab,  focuses  on  his  own  performance  to  date.  “As  the  new  guy,  I  have  to  earn  my 
wings  every  day,"  he  says.  “We’ve  created  a  vision  and  delivered  results.”  He  adds 
that  “I  received  a  note  from  our  CFO  on  my  first  anniversary.  He  said,  ‘I  can’t  believe 
it  has  only  been  a  year.  You  are  off  to  a  great  start.’” 

United  States  Tennis  Association  CIO  Larry  Bonfante  distances  himself  from  his 
predecessors.  "IT  never  communicated  with  [the  executives],  and  on  the  rare  occa¬ 
sions  that  they  did,  they  spoke  in  a  technical  jargon,”  he  says.  “Part  of  the  problem 
that  has  been  pervasive  is  lack  of  candor— a  lack  of  chutzpah.  People  have  not  been 
wiling  to  make  hard  decisions  and  tell  the  emperor  he  has  no  clothes.  No  one  could 
admit  the  magnitude  of  the  problems  we  had.”  Bonfante  is  able  to  talk  straight.  “I 
knew  I  had  to  make  changes,  and  I  felt  equipped  to  do  it,"  he  says.  - B.W . 


Keep  Up  with  Churn 


Want  to  know  which  CIO  just  became  CEO? 

Who  is  Staples'  new  CIO?  What's  it  like  to  be 
Pepsi's  CIO?  Go  to  MOVERS  &  SHAKERS  to 
find  out  at  www2.cio.com/movers. 

cio.com 

three  months  or  less.  When  Bonfante  joined 
USTA,  he  was  told  to  fix  TennisLink,  the  suite 
of  applications  that  the  association’s  675,000 
members  use  to  register  for  tournaments  and 
sign  up  for  leagues.  Bonfante  convinced  the 
executive  committee  that  the  system,  which 
previous  CIOs  had  tried  to  fix  by  bolting  on 
new  functions,  was  a  $12  million  loser.  But 
even  as  he  embarked  on  his  two-year  plan  to 
fix  TennisLink,  he  realized  he  had  to  break  it 
up  into  small  projects  that  could  be  delivered 
every  few  months. 

To  date,  Bonfante  has  developed  an  IT 
scorecard,  instituted  a  project  management 
office,  overhauled  the  help  desk  and  created 
service-level  agreement  reports.  When  he 
brought  each  of  these  segments  in  on  time  and 
under  budget,  he  says,  “they  were  turning 
cartwheels  in  the  boardroom.”  So  far,  Bon¬ 
fante  has  done  three  IT  evaluations  with  exec¬ 
utive  clients  and  key  stakeholders,  and  each 
time  the  results  have  come  back  more  posi¬ 
tive,  increasing  the  credibility  of  his  organiza¬ 
tion,  himself  and  IT  in  general. 

The  good  news  is  that  probably  fewer  and 
fewer  companies  over  time  will  go  through 
multiple  CIOs.  Charlie  Feld,  founder  of  the 
ClO-for-hire  agency  the  Feld  Group,  which 
was  recently  acquired  by  EDS,  says  that  CIO 
churn  may  simply  be  a  symptom  of  the  posi¬ 
tion’s  own  short  history.  Most  companies 
didn’t  use  any  sort  of  technology  25  years  ago, 
CIOs  weren’t  common  until  the  past  10  to  15 
years,  and  longtime  execs  in  more  established 
job  roles  have  had  to  adapt  to  IT  on  the  fly. 
“The  CXO  community  is  becoming  much 
more  sophisticated  relative  to  IT,  and  the  CIO 
is  becoming  more  sophisticated  relative  to 
business,”  says  Feld.  “I  think  | high  CIO 
turnover  |  is  starting  to  fix  itself  as  that  dia¬ 
logue  is  becoming  richer.  ”  HF1 


Senior  Writer  Ben  Worthen  can  be  reached  via 
e-mail  at  bworthen@cio.com. 


82  CIO  APRIL  1,  2004  •  www.cio.com 


Introducing  Raritan's  Dominion™  Series. 

Because  a  more  efficient  Data  Center  means  a  more  efficient  company. 


Three  months  from  now,  you  could  be  standing  in  front  of  your  company,  saying  "Productivity  is  up  and  costs  are  down."  It's 
no  surprise.  With  Raritan's  newest  additions  to  the  Dominion  Series,  it's  easier  and  more  efficient  to  manage  technology  assets 
anywhere  in  the  world.  Dominion  KX  gives  you  the  industry's  most  dependable  and  most  secure  KVM  over  IP  technology; 
CommandCenter™  provides  consolidated  enterprise  command  and  control.  You'll  have  128-bit  security,  scalability,  in  and 
out-of-band  access,  full  cross-platform  compatibility,  and  more.  Deployed  separately  or  together,  the  Dominion  Series  protects 
your  bottom  line  as  well  as  your  bottom. 


Ask  your  Data  Center  Manager  to  schedule  a  test  drive  by  calling  1-800-724-8090  x938 

or  by  visiting  us  at  www.raritan.com/938 


Command 

Center 

Dominion 

KX 

Dominion 

sx 

Dominion 

KSX 


CommandCenter, 
for  consolidated  enterprise 
control,  is  one  part  of 
RARITAN'S  DOMINION  SERIES. 
The  Complete  Data  Center 
Management  Solution 


TM 


From  the  Publisher 

obeach@cio.com 

O 


ARE  YOU  WONDERING  WHY  this  column’s  headline  is  in  Chinese?  Here’s 
a  hint:  The  translation  is  “Time  for  a  National  Technolog}7  Policy.” 

China  has  one.  The  United  States  doesn’t. 

In  1992, 1  hosted  an  event  at  Avery  Fisher  Hall  in  New  York 
City  titled  “The  Great  Debate:  Does  the  United  States  Need  a 
Formal  Technology  Policy?”  Panelists  included  two  members  of 
Congress  and  two  high-tech  CEOs.  Their  conclusion:  Forget  it. 
The  government  should  stay  out  of  the  tech  business. 

In  December  2003,  CIO  asked  visitors  to  its  website  the 
same  question  in  a  Quick  Poll.  How  times  have  changed.  Now 
seven  in  10  agree:  The  United  States  does  need  a  long-term 
technology  policy  covering  science,  education  and  R&D. 

What  caused  this  sea  change?  The  World  Wide  Web. 

Even  though  high-speed  connectivity  isn’t  yet  globally  per¬ 
vasive,  telecommuting  has  morphed  from  doing  work  in  your 
pajamas  10  miles  from  the  office  to  offshore  outsourcers  doing 
the  same  work  halfway  around  the  world,  24/7,  at  half  the 
cost.  The  Web  and  globalization  have  leveled  the  playing  field 
for  other  countries  to  compete.  Some  people,  including  myself, 
worry  how  the  United  States  will  be  able  to  maintain  its  tech¬ 
nology  leadership. 


We  are  right  to  worry.  According  to  the  National  Science 
Foundation’s  “Science  and  Engineering  Indicators  2003”  report, 
1.3  million  students  received  degrees  from  American  universi¬ 
ties  in  2002;  only  59,000,  or  just  5  percent,  of  those  degrees 
were  in  engineering.  In  the  same  time  frame,  the  People’s 
Republic  of  China  conferred  568,000  college  degrees.  But  an 
amazing  220,000 — or  39  percent — were  engineering  degrees. 
It’s  not  a  coincidence  that  the  Chinese  government  has  pro¬ 
moted  technology  education  for  more  than  two  decades.  Other 
countries — India,  for  example — are  putting  more  emphasis  on 
math,  science  and  engineering  education  than  America  is. 

The  United  States’s  robust  capacity  to  invent  and  to  innovate 
depends  on  the  influx  of  new  ideas  from  the  next  generation. 
If  current  trends  continue,  what  aspect  of  the  tech  business  will 
America  still  lead  in  the  future?  Will  our  best  technical  minds 
find  better  opportunities  halfway  around  the  world?  These  are 
tough  questions,  with  no  easy  answers. 

What  do  you  think?  Does  America  need  a  formal  technology 
policy  that  sets  long-term  education,  science  and  R&D  goals? 
Where  do  we  start?  Send  me  your  best  ideas  at  gbeacb@cio.com. 


8  4 


CIO 


APRIL  1 


2004 


w  w  w. cto.com 


PHOTO  BY  WEBB  CHAPPELL;  HEADLINE  TRANSLATION  BY  LIONBRIDGE 


Middleware  is  Everywhere 


MIDDLEWARE  IS  IBM  SOFTWARE.  Software  like  IBM 
Tivoli  Orchestration  and  WebSphere’  solutions.  Based  on 
your  business  priorities,  Tivoli  software  automatically  and 
intelligently  senses  and  responds  to  change.  Assets  are 
dynamically  reallocated.  And  resources  are  optimized.  All 
with  your  current  infrastructure.  All  without  breaking  the  bank. 
(e)  business  on  demancTat  ibm.com/tivoli/middleware 


1.  Senses  increased  demand  for  raincoats 

2.  Responds  to  demand  automatically. 

3.  Senses  increased  Web  traffic. 

4.  Responds  to  traffic  automatically. 

5.  Senses  registers  ringing  constantly. 


wm?:j 

m-  P&J,  H.;  5 •";■'>•  •*'«#;!  :• 

^%'hMIpS.'--  !•  i 

(V'Mwb  ••>:»-■?.•'  i  ;y :  -v. ,  -, 
5P>S;*-  c.v  ,k:--xyr*  '  ■  -  ••■  • 


|^|£  m 
&Mm!m 
mmm 


¥¥&W- 

fcMiiwfeiffi!  •  ' '  Vlt. 


The  Resource 
for  Information 
Executives 


Meet  Joe  (not  his  real  name). 


Joe  forgot  how  much 
was  riding  on  his  decision 

He  forgot  about  the 
CIO  Evaluation  Center 


Don’t  make  Joe’s 
mistake... 


- — 


t  & 


:  m&i 


Mi  f 

fTs 

■tf  ’  i~  ' 

/MmMI;  tv 

i4mii  r  ■ 


m 


r 


-A:kU 


Announcing  the  CIO  Evaluation  Center.  C/0  magazine  and  Technology  Evaluation  Centers  Inc.  have 
joined  forces  to  make  available  to  C/0  magazine  readers,  a  cutting  edge  online  tool  that  impartially 
compares  enterprise  software  products,  side-by-side  and  interactively. 

It  could  have  shown  Joe  which  product  best  matched  his  needs. 

Joe  was  last  seen  scrutinizing  the  CIO  Evaluation  Center  at:  http://www.theciostore.com 


PHOTO  BY  STEVEN  VOTE 


It’s  Politics,  As  Usual 

Don't  wrinkle  your  nose  and  don’t  turn  the  page.  Politics  is  part 
of  organizational  life.  Here’s  what  you  need  to  know. 


HIRING 

FIRING 


INSPIRING 


Inside 


MANAGEMENT 
REPORTS  I  89 

When  Parts  Don't  Make  a 
Whole:  Using  a  systems  model 
for  organizational  alignment 

LEADERSHIP  AGENDA  I  90 

By  Susan  H.  Cramm 

Managing  IT  Demand  101: 
Some  IT  professionals  still 
haven’t  learned  to  work  with 
the  business  to  manage 
demand  for  IT  services 

Reader  Q&A 


BY  LAFE  LOW 

Politics  is  a  term  with  a  bad  smell.  For 
most  people,  it  conjures  up  images  of 
shady  backroom  deals  and  conniving  peo¬ 
ple  who  push  through  their  own  agen¬ 
das,  usually  at  the  expense  of  others.  But 
if  politics  is  a  dirty  word,  then  roll  up 
your  sleeves.  Political  skills  are  essential 
for  every  CIO.  And  you  don’t  have  to  sell 
your  soul  to  master  them. 

“Any  time  you  get  three  people 
together,  you’ve  got  politics.  It’s  a  reality 
of  human  relations,”  says  Doug  Barker, 
CEO  of  Barker  &  Scott  Consulting  and 
former  CIO  of  The  Nature  Conservancy. 
“It  means  you  have  stakeholders  who 
have  a  vested  interest  in  the  outcome. 
You  need  to  recognize  those  vested  inter¬ 
ests  and  move  toward  situations  that  can 
create  win-wins.” 

Not  every  politically  charged  situation 
will  be  fraught  with  peril  and  deceit.  “Peo¬ 
ple  take  politics  in  a  bad  context,  but  it’s 
not  always  bad,”  says  Andre  Spatz,  CIO 
of  Unicef.  “It’s  part  of  the  process  of  mak¬ 
ing  and  influencing  decisions.” 

Political  skills  such  as  identifying  stake¬ 
holders,  managing  relationships  and  com¬ 
municating  well  are  critical  for  IT  leaders. 
Yet  they’re  hardly  unique  to  the  CIO  role. 
“The  higher  up  you  report  in  your  organ¬ 
ization,  the  more  important  it  is  to  be  sen¬ 
sitive  and  savvy  to  the  dynamics  of  your 
organization,”  says  Judi  Zito,  CIO  of 
Miami-Dade  County  in  Florida. 


resolving  organizational  conflicts.”  In  that 
sense,  politics  is  preferable  to  raw  displays 
of  power — especially  if  you’re  at  a  power 
disadvantage. 

On  the  Campaign  Trail 

So  what  does  it  take  for  a  CIO  to  suc¬ 
cessfully  navigate  the  political  twists  and 


It’s  politic  to  grant  other  executives  some 
say  in  IT  decision-making,  says  Judi  Zito, 
CIO  of  Miami-Dade  County.  The  payback  is 
increased  credibility. 

snares  that  develop  in  any  organization? 
In  the  spirit  of  the  current  presidential 
campaigns,  we  present  some  tips.  While 
organizational  politics  isn’t  quite  as 
dramatic,  CIOs  can  draw  on  the  strategic 


How  comfortable  do  you 
find  the  hot  seat?  E-mail 
Leadership  and  Management 
Editor  Edward  Prewitt  at 
hotseat@cio.com. 


Whatever  your  reaction  to  thinking  of 
yourself  as  a  politician,  it’s  just  business  as 
usual  in  most  cases,  says  Bill  Hagerup,  a 
senior  consultant  with  Ouellette  &  Asso¬ 
ciates  Consulting.  “Like  it  or  not,  we  are 
all  in  conflict  for  the  scarce  resources 
available  to  the  organization,”  he  says. 
“Politics  is  the  most  common  way  of 


and  tactical  mind-sets  of  the  vote- 
mongering  variety  of  candidate. 

Understand  your  constituency.  Quite 
simply,  know  whom  you’re  dealing  with 
and  how  they  fit  into  the  organization. 
“You  need  to  develop  an  understanding 


www.cio.com  •  APRIL  1,  2004  CIO  87 


of  who  the  key  play¬ 
ers  are  and  thought¬ 
fully  consider  their 
motives,  goals,  per¬ 
spectives,  relationships 
with  one  another  and 
their  relationships  with  IT,”  says  Barker. 
“Once  you’ve  done  that,  you’re  in  a  posi¬ 
tion  to  more  successfully  wade  through 
politically  charged  situations.” 

Taking  into  account  the  needs  and 
desires  of  your  constituency  is  as  impor¬ 
tant  for  a  CIO  seeking  approval  for  a 
project  or  budget  as  it  is  for  a  presiden¬ 
tial  candidate  seeking  reelection.  “It  is 
part  of  the  fabric  of  how  to  deal  with 
executive  management,”  says  Unicef’s 
Spatz.  “You  find  your  supporters,  see 
who  is  the  real  decision-maker,  who  is 
an  influential  supporter  and  who  is  an 
influential  opponent.”  Those  techniques 
are  essential  elements  of  a  CIO’s  survival 
kit,  he  says. 

Press  the  flesh.  Good  communication 
is  another  critical  factor.  “I  don’t  call  it 
politics.  I  call  it  engagement  or  communi¬ 
cating,”  says  Bob  Weir,  vice  president  of  IS 
of  Northeastern  University.  Weir  engages 
his  senior  customers  continually,  which  in 
his  case  means  department  heads  and  the 
university  president.  He  draws  these  key 
players  into  the  IT  governance  process  by 
asking  each  to  select,  from  a  long  list  of  IT 
projects,  the  most  important  initiatives  for 
the  coming  year.  “We  have  a  process  by 
which  we  ask  everybody  what  we  should 
do,  then  we  engage  them  in  deciding  what 
to  do,”  Weir  says. 

He  also  practices  that  wide-open  com¬ 
munication  policy  with  the  university’s 
user  community— the  students.  For  exam¬ 
ple,  as  more  than  23,000  students  settled 
in  at  the  university’s  Boston  campus  in  fall 
2003,  Northeastern  servers  were  hit  with 
viruses  (as  was  corporate  America).  When 
installing  a  particularly  aggressive  spam 
and  virus  filter,  the  IT  department  acci¬ 
dentally  lost  3,500  e-mail  messages  bound 
for  students.  Once  service  was  fully 


restored  and  the  affected  students  notified 
individually,  Weir  sent  a  mass  e-mail  to 
the  entire  university  community,  telling 
them  what  happened  and  what  he  was 
doing  about  it,  and  when  they  would  hear 
from  him  next. 

“Whether  it’s  communication  about  a 
problem  or  prioritization  of  projects,  we 
go  overboard,”  he  says.  Weir  goes  so  far 
as  to  answer  every  single  e-mail  person¬ 
ally.  No  candidate  ever  worked  a  room 
more  thoroughly. 

Secure  endorsements.  Building  and 
maintaining  relationships  throughout  the 
organization,  with  allies  and  opponents 
alike,  is  undoubtedly  the  most  important 
political  task  facing  any  CIO.  “Being  a 
successful  political  animal. ..is  about  being 
a  good  facilitator,  a  good  listener  and  pay¬ 
ing  attention  to  what’s  spoken  and  what 
is  not  spoken,”  says  Barker. 

Forming  alliances  means  bringing  oth¬ 
ers  into  the  decision-making  process, 
says  Miami-Dade’s  Zito.  “My  charge  is 
to  operate  across  all  departments,  and  I 
need  them  on  board  with  me,”  she  says. 
Zito  is  currently  working  with  Suzanne 
Torriente,  the  assistant  county  manager 
who  is  responsible  for  public  safety  agen¬ 
cies  such  as  fire,  police,  rescue  and  home¬ 
land  security,  to  define  responsibilities  and 
recruit  a  program  manager  for  the 
county’s  IT  security  and  public  safety.  This 
person  will  ultimately  report  to  both  Zito 
and  Torriente.  “Giving  up  a  certain  level 
of  control  and  authority  to  share  it  with 
somebody  else  is  important,  but  it’s  kind 
of  risky,”  says  Zito.  “If  you’re  not  willing 
to  let  go  a  little  bit,  though,  I’m  not  sure 
how  much  credibility  you’ll  have.” 

When  Barker  served  as  the  CIO  of 
The  Nature  Conservancy,  he  developed  a 
plan  to  move  from  localized,  divisional 
IT  solutions  toward  an  organizationwide 
system  that  necessitated  enterprise  stan¬ 
dards.  This  shift  required  the  local 
offices  to  give  up  some  control  of  sys¬ 
tem  specifications  and  standards.  Since 
Barker  didn’t  have  the  power  to  man¬ 


date  this  plan,  he  instead  sought 
endorsements  from  early  adopters  by 
communicating  the  benefits  of  the  new 
system  to  them  and  demonstrating  its 
value.  “I  created  champions  outside 
myself,”  he  says.  “They  realized  this  was 


POLITICS  WORKSHOP 

Five  Steps  to 
Political  Savvy 

IT  management  consultancy  Ouellette 
&  Associates  offers  a  two-day  work¬ 
shop  on  organizational  politics.  CIOs 
and  IT  managers  attending  the  session 
are  told  to  focus  on  five  steps. 


Extend  Your  Radar 

Make  sure  you  know  all  the  key  players 
who  might  influence  your  organiza¬ 
tion-even  if  you  don’tthinkthey 
should!  Pay  attention  to  the  connec¬ 
tions  they  have  with  each  other. 


Note  Who  Has  the  Power 

Learn  which  key  players  have  power  or 
influence  over  which  others. 


Identify  Friends  and  Foes 

Determine  who  will  gain  and  who  may 
suffer  when  things  go  according  to 
your  plans— and  don’t  ignore  your 
enemies. 


Chart  Your  Course 

Considering  what  you've  learned 
about  your  key  players,  predict 
political  difficulties  and  plan  mitiga¬ 
tion  strategies. 


Stay  Your  Course 

Keep  in  touch  with  key  players  to 
monitor  your  progress.  Expect  the 
unexpected  and  adapt  as  necessary. 

SOURCE:  Ouellette  &  Associates 


88  CIO  APRIL  1,  2004  •  www.cto.com 


LLUSTRATION  BY  STEVEN  P.  GORMAN 


MANAGEMENT  REPORTS 

When  Parts  Don’t  Make  a  Whole 


much  better  for  their  part  of  the  organ¬ 
ization  and  in  their  best  interests.” 

Relationship-building  can  pay  huge 
dividends  down  the  road  when  sensitive 
situations  arise.  “It  helps  defuse  sticky 
political  situations  if  you  already  have 
well-established  relationships  with  any 
or  all  of  the  parties  and  those  relation¬ 
ships  have  been  built  outside  the  con¬ 
text  of  the  individual  situation,”  says 
Paul  Gaffney,  former  CIO  and  current 
executive  vice  president  of  supply  chain 
for  Staples. 

Watch  the  weathervane.  Polidcal  savvy 
means  being  prepared  for  change.  “The 
political  winds  in  an  organization  can  shift 
and  always  do,”  says  Barker,  “so  you  need 
to  be  actively  understanding  what  are  the 
drivers  in  the  organization,  what  are  the 
goals  of  the  different  players  and  what  are 
the  different  relationships.” 

At  the  same  time,  CIOs  should  keep 
their  strategy  clearly  in  mind,  Spatz  says. 
Otherwise,  when  political  changes  occur, 
“you  won’t  know  how  to  make  compro¬ 
mises  that  don’t  compromise  the  overall 
goal,”  he  says. 

Because  Unicef  operates  on  a  biennial 
budgeting  process,  Spatz  has  to  identify 
technology  investments,  operating  costs 
and  required  upgrades  up  to  three  years 
in  advance — a  process  he  describes  as 
“science  fiction.”  Having  to  plan  so  far 
ahead,  when  discrepancies  are  a  guaran¬ 
tee,  requires  that  he  constantly  lobby  his 
business-side  colleagues  so  that  they 
continue  to  understand  the  need  for  tech¬ 
nology  initiatives. 

Keep  campaigning.  As  a  change  agent, 
the  CIO  needs  to  be  patient  when  pressing 
for  his  initiatives.  “True  sustainable  change 
will  only  come  over  time,”  says  Spatz. 
“You  put  processes  in  place,  and  people 
will  start  to  change,  but  it  takes  time.”  He 
feels  that  CIOs  and  their  executive  col¬ 
leagues  are  often  impatient.  Taking  a 
longer-term  view,  however,  will  help  keep 
progress  with  change  initiatives  in  per¬ 
spective.  “You  may  lose  a  few  rounds,  but 


Using  a  systems  model  for 
organizational  alignment 

The  change  management  initiative 
that  has  changed  nothing.  The  strate¬ 
gic  plan  that’s  a  nonstarter.  These 
organizational  ills  and  many  others 
share  a  diagnosis:  They  are  all  aspects 
of  being  stuck.  That’s  according  to  a 
forthcoming  book,  Unstuck:  A  Tool  for 
Yourself,  Your  Team  and  Your  World 
(Portfolio,  April  2004),  by  strategy 
consultant  Keith  Yamashita  and 
Sandra  Spataro,  a  professor  at  the 
Yale  School  of  Management. 

Being  stuck  is  a  term  rarely  applied 
to  the  business  world,  but  it  alludes  to 
the  authors’  holistic  view  of  organiza¬ 
tions.  They  argue  that  companies  are 
organic  systems;  therefore,  “organiza¬ 
tions  that  are  out  of  balance  become 
stuck.”  Getting  any  one  part  unstuck 
requires  bringing  all  the  parts  of  an 
organization  into  balance. 

This  systems  model  consists  of  six 
parts,  with  purpose  at  the  center  and 
five  other  elements— strategy,  culture, 
people  and  interaction,  metrics  and 
rewards,  and  structure  and  process- 
contributing  equally  to  that  purpose. 

The  great  majority  of  stuckness 
results  from  seven  primary  causes, 
the  authors  say,  called  the  “Serious 
Seven.” 

1.  Overwhelmed:  A  sense  of  being 
without  a  rudder,  of  having  too  much 
work  and  no  idea  of  where  to  start.  The 
cause:  The  structure  and  process 
element  of  the  system  are  missing. 

2.  Directionless:  When  a  high  level 
of  activity  isn’t  correlated  with  results 
and  people  don't  know  how  their  work 
connects  with  the  bigger  picture.  The 
cause:  The  element  of  strategy  is 
either  missing  or  the  organization’s 


strategy  is  the  wrong  one. 

3.  Hopeless:  A  lack  of  passion 
among  employees  about  their  work 
and  a  prevalence  of  individual  agen¬ 
das.  The  cause:  The  organization's 
purpose  is  anemic  or  isn’t  apparent. 

4.  Battle-torn:  Internal  fighting 
rather  than  a  focus  on  the  real  task  at 
hand.  It’s  indicated  by  real  decisions 
being  made  in  hallways  after  official 
meetings.  The  cause:  Problems  with 
people  and  their  interactions. 


5.  Worthless:  Job  targets  are 
ambiguous  and  expectations  don't 
seem  to  match  priorities.  The  cause: 
Misaligned  metrics  and  rewards. 

6.  Alone:  Team  members  fail  to 
work  together.  The  cause:  Lack  of  a 
cohesive  culture. 

7.  Exhausted:  Burned-out  employ¬ 
ees  exhibiting  resentment,  lack  of 
interest  and  even  mutiny.  The  cause: 
All  six  elements  of  the  system  are 
present  but  are  not  working  together. 

The  book  presents  dozens  of 
innovative  ideas  for  becoming 
unstuck.  Call  it  chiropractic  for  the 
workplace. 

-Edward  Prewitt  and  Meg  M.  Moore 


www.cio.com  •  APRIL  1,  2004  CIO  89 


you’ll  win  in  the  long 
run,”  he  says. 

Weir  confesses  that 
Northeastern’s  senior 
management  took  a 
while  to  get  used  to  his 
intense  style  of  communication,  but  his 
persistence  and  continued  openness  have 
paid  off.  “Over  time,  you  build  that  rap¬ 
port  and  trust,”  he  says.  Now,  if  they 
haven’t  heard  anything  from  him,  univer¬ 
sity  officials  don't  wonder  whether  any¬ 
thing  bad  is  happening  in  IT,  Weir  says. 


It’s  Critical  to  Be  Political 

Ultimately,  the  skill  set  of  a  seasoned 
politician  is  not  all  that  different  from 
that  of  a  seasoned  senior-level  executive. 
Most  executives  who  have  risen  to  the 


“The  higher  up  you 
report  in  your 
organization,  the 
more  important 
it  is  to  be  sensitive 
and  savvy  to  the 
dynamics  of  your 
organization.” 

-Judi  Zito,  CIO, 
Miami-Dade  County 


level  of  CIO  will  have  mastered  at  least 
some  political  techniques.  “If  someone 
has  made  it  to  CIO,”  Weir  says,  “then  by 
definition,  they’re  pretty  savvy  folk.” 

For  the  politically  challenged,  these 
skills  can  be  learned.  “There’s  no  magic  in 
it,”  says  Spatz.  Which  is  good  news  for 
the  impolitic — because  without  political 
savvy,  Barker  says,  “a  CIO  is  sunk.”  BE] 


Send  comments  on  this  article  via  e-mail  to 
hotseat@cio.com.  Late  Low  is  manager  of  con¬ 
tent  development  for  CXO  Media’s  Executive 
Programs  group. 


Leadership  Agenda  by  susan  h.cramm 

Managing  IT 
DemandlOl 

Some  IT  professionals  still  haven’t  learned  to  work  with  the 
business  to  manage  demand  for  IT  services 

Call  them  what  you  want— business  systems  planners,  IT 
account  consultants,  IT  relationship  managers  or  business 
technology  liaisons— they  are  responsible  for  helping 
ensure  that  IT  demand  is  balanced  with  supply.  Until 
recently,  I  assumed  that  most  of  these  professionals 
understood  demand  management  and  their  role  in  facilitat¬ 
ing  a  win-win  handshake  between  IT  and  the  business. 
Surely,  we  have  evolved  beyond  the  order-taking  era  of  IT. 

Boy,  was  I  wrong.  While  facilitating  a  planning  session  with  a  Fortune  50 
company,  I  assumed  that  the  IT  account  consultants  would  want  to  dive  deep 
into  demand  management  issues  and  opportunities.  Instead,  while  presenting 
the  demand  management  framework,  I  received  push-back  in  the  form  of  the 
question  “What  right  does  IT  have  to  tell  the  business  what  they  can  and 
cannot  have?” 

I  took  a  deep  breath  and  checked  my  watch.  I  had  just  been  transported 
back  to  1994,  when  conventional  wisdom  held  that  IT  delivery  issues  could  be 
fixed  with  supply-side  tactics,  such  as  improved  capacity  planning  and  project 
management,  standard  software  development  approaches  and  alternative 
sourcing  strategies.  As  I  readied  myself  to  shift  into  coaching  mode  (and  give 
them  a  primer  on  demand  management,  whether  they  wanted  it  or  not),  my 
facilitator  survival  instincts  won  over,  and  I  let  them  define  their  top  issues 
and  opportunities.  (As  you’d  expect,  they  decided  to  tackle  the  supply  side.) 

Well,  I’m  out  of  facilitator  mode,  back  into  coaching  mode  and,  last  I 
checked,  it’s  2004  and  well  past  the  time  for  all  IT  professionals  to  have  a  firm 
grasp  of  demand  management  and  its  supporting  mechanisms.  In  one  of  my 
previous  columns,  “IT  Economics"  (available  at  www.cio.com/printlinks ),  I 
defined  demand  management  as  allocation  of  capital  and  human  resources  to 
the  highest-value  opportunities.  Demand  management  is  important  because 
it  helps  the  enterprise  get  the  most  out  of  its  scarce  resources  and  allows  IT  to 
focus  the  company  agenda  and  improve  delivery. 

Evaluate  the  health  of  your  demand  management  mechanisms  with  the 
following  overview  of  the  key  mechanisms. 

Strategic  IT  planning.  Most  of  us  are  familiar  with  what  strategic  IT  plan¬ 
ning  should  be— even  if  our  actual  practice  is  short  of  the  mark.  To  grease  the 
wheels  of  demand  management,  the  strategy-making  process  needs  to  result 
in  a  finite  set  of  opportunities.  You  accomplish  this  by  prioritizing  based  on 
some  type  of  strategic  filter.  Once  you  have  worked  with  business  execs  to 


90  CIO  APRIL  1,  2004  •  www.cio.com 


identify  the  IT-enabled  business 
opportunities,  technical  types  can 
further  manage  demand  by  roughing 
out  the  architectural  requirements, 
constraints  and  standards  necessary 
to  minimize  the  technical  footprint. 

Portfolio  management.  This  is  a 
fancy  term  for  the  process  of  determin¬ 
ing  (and  monitoring)  how  much  money 
the  enterprise  should  spend  on  the 
various  categories  of  IT-enabled 
business  investments.  Typically  a 
senior  executive  responsibility,  the 
portfolio  management  process  should 
result  in  a  multiyear  forecast  of  IT 
spending.  This  “funding  envelope”  is  a 
critical  feature  of  demand  manage¬ 
ment,  since  it  constrains  overall 
demand  and  results  in  increased 
project  scrutiny. 

Delegated  authority.  Once  the  IT 
governance  group  has  determined 
your  targeted  IT  portfolio,  it’s  time  to 
establish  the  oversight  mechanisms 
necessary  to  realize  the  portfolio 
objectives— with  minimal  bureaucratic 
heartburn  for  all  involved.  Figure  out 
which  investments  require  senior-level 
oversight  and  delegate  the  rest  to 
individual  business  executives  in  the 
form  of  “capital  checkbooks.”  (By  this, 

I  mean  a  virtual  checking  account  that 
business  execs  can  spend  as  they  see 
fit,  during  the  course  of  the  fiscal  year, 
on  IT-enabled  business  initiatives.) 
These  are  an  effective  demand  man¬ 
agement  tactic  because  the  execu¬ 
tives  gain  authority  over  tactical  IT 
decisions  as  long  as  they  live  by  the 
enterprise  rules  on  investment  type 
and  approach,  funding  limits  and 
value  targets. 

Financial  planning.  When  the  strat¬ 
egy,  portfolio  and  authority  decisions 
have  been  made,  then  the  financial 
planning  process  is  a  simple,  albeit 
painful,  process  of  filling  in  the  details 
of  who  budgets  for  what  and  how 
much.  Under  a  process  defined  by  the 


CFO  or  controller,  the  capital  check¬ 
books  are  budgeted  at  the  appropriate 
organizational  level  and  operating 
expenses  are  aligned  accordingly.  At 
this  point,  the  capital  within  the 
checkbooks  has  been  earmarked  for 
potential  opportunities,  but  the  actual 
allocation  is  spread  out  throughout  the 
year  so  that  funding  is  available  for 
new  projects. 

Prioritization  and  sequencing.  This 
is  where  demand  management  lives  or 
dies.  Effective  governance— at  enter¬ 
prise,  divisional,  business  unit  and 
departmental  levels— is  necessary  to 
review  the  various  investment  propos¬ 
als  for  strategic  fit,  criticality,  value 
and  compliance  with  rules  on 
approach,  risk  mitigation  and  architec¬ 
ture.  If  the  governance  process  is 
transparent,  accessible,  lean  and  time- 
sensitive,  then  you  have  a  better  shot 
of  gaining  compliance  from  the  organi¬ 
zation  and  avoiding  the  spillover  of 
demand  into  unofficial  and  uncon¬ 
trolled  channels. 

Value  realization  and  accountability. 

One  of  the  best  ways  to  manage 
demand  is  to  require  value  commit¬ 
ments  as  a  prerequisite  to  project 
funding.  Then  you  can  monitor  value 
realization  as  part  of  the  governance 
process.  Allowing  nonmonetary  value 
commitments,  in  the  form  of  improve¬ 
ments  to  operational  measurements 
(such  as  a  commitment  to  increase 
distribution  cycle  time  by  50  percent), 
is  the  most  practical  approach. 

Demand  management  is  a  cyclical 
process,  beginning  with  strategic 
planning  and  ending  with  the  realiza¬ 
tion  of  value.  Each  step  helps  set  up 
the  later  stages  for  success. 

Returning  to  the  question  posed 
during  my  1994  time  warp,  IT  most 
certainly  does  not  have  the  right  to  tell 
the  business  what  it  can  and  cannot 
have,  but  CIOs  do  have  the  responsibil¬ 
ity  to  ensure  that  the  enterprise  gets 


the  most  out  of  its  IT  investments— 
while  maintaining  a  reputation  for 
good  customer  service. 

Reader  Q&A 

Susan  H.  Cramm  answers 
questions  on  “ Managing  IT 
Demand  101” 

Q:  When  I  ran  a  600-person,  multiloca¬ 
tion,  offshore  IT  team  for  a  large 
computer  company  in  Austin,  Texas, 
my  clients  were  IT  directors.  They  had 
the  attitude  of  “What  right  do  you  have 
to  tell  us  IT  directors  what  resources 
we  can  and  cannot  have?”  Just  as 
doctors  make  the  worst  patients,  IT 
directors  make  the  worst  customers. 

A:  This  example  of  the  extended  supply 
chain  underscores  the  importance  of 
integrating  the  demand  management 
processes  in  order  to  minimize  hand- 
offs  (which  just  transfer  the  problems 
down  the  supply  chain  and  further  away 
from  the  customer).  Start  by  explicitly 
designing  the  demand  management 
processes  with  your  IT  clients.  Identify 
the  integration  points  where  all  parties 
need  to  be  looking  at  the  same  informa¬ 
tion  so  that  they  can  reach  agreement 
about  what  work  should  be  done,  by 
whom,  how  and  when.  This  requires  a 
mutual  understanding  of  the  strategic 
filters,  portfolio  targets,  multiyear 
funding  projections,  project  approval 
processes  (with  delegated  authorities), 
financial  and  resource  budgets  (with 
delegated  checkbooks),  architectural 
standards  and  value  accountability.  QQ 


To  see  more  reader  questions  and  answers 
from  Susan  H.  Cramm,  go  to  www.cio.com/ 
leadership/agenda.html.  Cramm,  a  former  restau¬ 
rant  CIO  and  CFO,  is  president  of  Valuedance,  an 
executive  coaching  firm  in  San  Clemente,  Calif. 
You  can  contact  her  at  s usan@valuedance.com 
and  learn  more  about  Valuedance  at  www. 
valuedance.com. 


www.cio.com  •  APRIL  1,  2004  CIO  91 


CIO  Perspectives®  Conference 

April  18  -  20, 2004  La  Costa  Resort  &  Spa  Carlsbad,  California 

Spend  a  few  thought-provoking  and  enlightening  days  with  your  CIO  peers. 


Mastering  the  Politics,  Policies  and  Technologies 


The  high-performance,  technology-enabled, 
global,  seamless  and  secure  organization: 
that’s  the  goal  Of  every  CIO.  Over  the  past  few 
years,  hardware  and  network/telecom  costs  have  lowered 
significantly,  and  the  enterprise  software  industry  contin¬ 
ues  to  mature.  We’ve  spent  considerable  time  and  money 
re-engineering  and  streamlining  business  processes, 
"right-sizing”  our  staff  and  organizations,  leveraging  our 
customer  information  and  analyzing  our  vulnerabilities. 
But  we’re  still  notthere.  We  haven’t  won  the  IT  value 
argument  with  management,  and  our  users  continue  to 
give  us  low  marks.  So,  what’s  holding  us  back?  We’ll 
examine  the  roadblocks  that  internal  and  external  poli¬ 
tics,  policies  and  technologies  are  throwing  at  us,  and 
learn  what  actions  we  can  take— individually  and  collec¬ 
tively— to  overcome  them. 

Concurrent  CSO  Conference: 

Bring  Your  CSO 

Our  CSO  (Chief  Security  Officer)  Conference,  How  to  Take  the  Sting 
Out  of  Risk,  is  being  held  concurrently  at  the  La  Costa  Resort  &  Spa. 
If  you  and  your  CSO  or  CISO  wish  to  attend  the  respective  CIO  and 
CSO  conferences— you’ll  get  a  significant  package  discount. 

Call  us  at  800.366.0246  for  special  pricing  and  have  your  chief 
security  executive  check  out  the  CSO  conference  information 
www.csoonline.com/perspectives. 


Powerful  Insights 
Actionable  Ideas 
Great  Networking 


Call  800.366.0246  or  visit 
www.cio.com/conferences 

Sponsored  by 


invent 


inlel. 

PrICEWaTeRhOUsE(OOPERS 

Q  U  OVA 


The  Value  of  Trust" 


Presented  by 


The  Resource  for 
Information  Executives 


NEW  SPEAKERS  ADDED: 


John  M.  Poindexter 

PhD,  Consultant  &  Former  Director  of  the  Informa¬ 
tion  Awareness  Office  at  DARPA,  on  “Security  With 
Privacy,”  giving  us  a  special  “After  Action  Report  on 
Total  Information  Awareness"  and  discussing  why 
the  issues  involved  are  important  for  business. 


Nicholas  Carr 

i  Carr  started  a  firestorm  with  his  explosive  HBR 
article,  “IT  Doesn’t  Matter.”  He  explains  his  view  of 
how  technological,  economic,  and  competitive 
forces  are  combining  to  transform  the  role  IT  plays. 


SPEAKERS 

James  E.  Albert 


Chief  Information 
&  Telecommunications 
Technology  Officer, 

San  Francisco  Municipal 
Transportation  Agency 


W.  Brian  Arthu 


Conference  Moderator 


President,  Electronic 
Industries  Alliance 


Mamie  Millard 


Senior  Vice  President, 
Product  Development 
&  Delivery, 
Travelocity.com 


Assistant  Vice  President, 
Business  Continuity, 
USAA  Information 
Technology  Company 


Gary  Beach 


Publisher,  CIO  Magazine 


Vice  President  of 
Information  Systems, 
7-Eleven,  Inc. 

Senior  Vice  President, 
Corporate  Governance, 
Tyco  International 


John  L,  Puckett 


George  Campbell 


Chief  Security  Officer 
(retired),  Fidelity  Invest-  CTO,  DuPon 
ments  &  Past  President, 

International  Security 
Management  Association 


General  Motors 


Senior  Vice  President  & 
CIO,  Tyco  International 


Monique  Shivanandan 


Vice  President  IT  Strat¬ 
egy,  Security  &  Business 
Continuity,  Bell  South 


Vice  President  &  CIO, 
Tokyo  Electron  America 

Vice  President  IS  Shared 
Services,  Tyson  Foods, 
Inc. 


Executive  Advisor,  Global 
Downstream,  Chevron 
Texaco 


Abbie  Lundberg 


Editor  in  Chief, 
CIO  Magazine 


:  Associate  i 
The  Wharton  School 


Linda  Tuck-Chapman 


Vice  President,  Strategic 
Sourcing,  Scotiabank 

Vice  President 
Information  Services, 
Northeastern  University 

Industry  Expert  &  Author 

E  m 

Deputy  Under  Secretary 
for  Technology, 

US  Department  of 
Commerce 


President  &  CIO,  USAA 
Information  Technology 
Company 


Globalization  touches  all 
.organizations.  What  do  your 
policies  say  about  your  politics? 


A  case  study  with  two  members  of  the 
new  senior  management  team  at  Tyco 
who  are  rebuilding  and  refocusingthe 
company. 


How  can  your  organization’s 
structure  help  ensure  the  safety  of 
your  electronic  and  physical  assets? 


A  run  of  nasty  viruses  and  a  major 
power  blackout  provide  several 
lessons  we  can  take  to  heart. 


Is  it  time  for  the  US  to  craft  a  formal, 
national  technology  policy  in  order  to 
remain  competitive  in  the  globalized 
economy  of  the  21st  century? 


Research  findings  and  best  practices 
■  on  everything  from  finance  to  staffing 
to  marketing/communications. 


What  are  the  high  stakes  battles 
and  how  will  the  outcome  shape 
products  and  services? 


The  complaints  about  the  overall  lack  of 
quality  of  major  commercial  software 
are  endless.  What  can  and  is  being  done 
to  make  it  better? 


For  More 
Information 

Call  800.366.0246  or  visit 
www.cio.com/conferences. 


To  be  eligible  for  CIO  Perspectives  Conference 
attendance,  you  must  be  a  CIO  or  executive-level 
IT  practitioner  or  a  participating  corporate  sponsor. 


Sales  and  Services 

CIO  SALES  OFFICES 

President  and  CEO  Walter  Manninen 
Publisher  Gary  J.  Beach  •  508  935-4202 

Executive  VP  Sales/Custom  Publishing 

Ellen  Romanow  •  508  935-4796 

East  Coast 

Senior  Vice  President,  Sales  and  Integrated 
Solutions/East 

Joan  Kelly -508  935-4586 

Regional  Sales  Director 

Kathy  Powers  •  201 634-2331 

Regional  Sales  Manager 

Ellie  Schwab  *201 634-2332 

Senior  Account  Executive 

Andrew  Haney  •  508  988-7863 
Fax  •  508  879-6063 

Account  Executive 

Joan  Bonadeo  •  201 634-2328 
Advertising  Sales  Associate 

Rhonda  Goodman  •  201 634-2329 
Fax  •  201 634-9513 

New  England 

Senior  Vice  President,  Sales  and  Integrated 
Solutions/East 

Joan  Kelly  •  508  935-4586 

Account  Executive 

Dawn  Cora  •  508  935-4092 
Fax  •  508  879-6063 


South  Central 

Regional  Director/ Advertising  Sales 

Robert  E.  Sawdon  •  512  306-9801 
Account  Executive 

Brenda  Garza  •  512  306-9801 
Fax  •  512  306-9805 

North  Central 

Senior  District  Sales  Manager 

Beth  DeVillez  •  847  441-3140 
Advertising  Sales  Associate 

Kim  Giovanni  •  847  441-5005 
Fax  •  847  441-5150 

West  Coast 

VP  Sales/West 

Cheri  Parr  *415  975-2685 

Senior  Regional  Sales  Managers 

Ai  Collins  *415  975-2686 
Jane  Evans  •  415  975-2680 

Regional  Sales  Manager 

Kevin  Ebmeyer  •  415  975-2684 
Account  Executive 

Derek  Jung  •  415  975-2683 
Fax  •  415  543-2358 

Southern  California 

Senior  Account  Executive 

Isaac  Ugay  •  949  475-5579 
Fax  •  949  475-5583 

LIST  SERVICES 

List  Services  Director 

Kathryn  A.W.  Marston  •  508  935-4072 


List  Services  Account  Executive 

Stephanie  Roy  •  508  935-4151 

ONLINE  SERVICES 

VP/Online  Sales 

Lisa  Brown  •  508  935-4470 

Online  Sales  Manager 

Michael  McPhee  •  508  935-4611 

CUSTOM  PUBLISHING 

Group  Director  •  Michael  Siggins 
Director  •  Mary  Gregory 

Director  of  Content  Development  •  Tom  Field 
Project  Managers  •  John  Danielowich, 

Amy  Greenleaf 

Graphic  Designer  •  Christopher  Brown 

REPRINT  SERVICES 

For  article  reprints  (500  quantity  or  more), 
please  contact  Jackie  Day  at  RSiCopyright 
(651 582-3856)  or  via  e-mail  at 
cioreprints@rsicopyright.com. 

CIO  IS  PUBLISHED  IN  THE 
UNITED  STATES  AS  WELL  AS  IN: 

Australia,  CIO  Australia  www.idg.com.au 
Canada,  CIO  Canada  www.iti.on.ca/cio 
China,  CEO  &  CIO  China  www.ceocio.com.cn 
France,  CIO  France  www.idg.fr/cio 
Germany,  CIO  Germany  www.cio.de 
India,  CIO  India  91-80-521-0309/12 
Japan,  CIO  Japan  www.idg.co.jp 
The  Netherlands,  CIO  Netherlands 
www.cio.nl 

New  Zealand,  CIO  New  Zealand  www.idg.co.nz 


Index  of  Companies  and  Advertisers 

Page  numbers  refer  to  the  first  page  of  the  article(s)  in  which  the  company  has  a 
substantial  mention.  This  index  is  provided  as  a  service  to  readers.  The  publisher 
does  not  assume  any  liability  for  errors  or  omissions. 


COMPANY  INDEX 

Academic  Management  Services 


Corp . 22 

Amazon.com  Inc . 58 

Bank  of  America  Corp . 68 

Bank  One  Corp . 68 

Bankstocks.com . 68 

Barker  &  Scott  Consulting  ...  87 

BT  Group  PLC  . 22 

Carlyle  Group  LLC,  The . 50 

Christian  &  Timbers . 22 

Citizens  Financial  Group  ....  68 
Computer  Sciences  Corp.  ...  50 

eBay  Inc . 22 

eMag  Solutions  LLC . 22 

Electronic  Data  Systems  Corp.  78 

Enamics  Inc . 22 

Exigen  Inc . 68 

First  Union  Corp . 68 

FleetBoston  Financial  Corp.  .  .  68 

Forrester  Research  Inc . 58 

Gartner  Inc . 22 

Graham  Magnetics  Inc . 22 


H&R  Block  Inc . 58 

Health  Management  Systems 
Inc . 22 

Hewlett-Packard  Co . 22 

IBM  Corp . 50 

I  DC . 22 

ING  Americas . 78 

J.M.  Smucker  Co.,  The . 22 

J.P.  Morgan  Chase  &  Co . 68 

Kodak  Versamark  Inc . 22 

Lucent  Technologies  Inc . 50 

MCI  Group . 22 

Nike  . 78 

Northrop  Grumman  Corp.  ...  50 

Ouellette  &  Associates 
Consulting  Inc . 87 

Ovum . 22 

Peabody  Essex  Museum,  The  22 

Qualstar  Corp . 22 

Rapsheets  . 58 

Sabre  Holdings  Corp . 58 

Sallie  Mae  . 22 

Science  Applications 
International  Corp . 50 


Second  Curve  Capital  LLC  ...  68 
Shurgard  Storage  Centers  Inc.  22 
Southwest  Bank  of  Texas  NA  .  68 

Staples  Inc . 87 

TowerGroup . 68 

Tumbleweed  Communications  22 

Unicef . 22 

Unisys  Corp . 50 

United  States  Tennis 
Association . 78 

Wachovia  Corp . 68 

Wells  Fargo  &  Co . 58,  68 

ADVERTISER  INDEX 

Agilent  Technologies  Inc . 47 

Avaya  . 12 

BMC  Software  . 45 

Canon  . 8 

Cisco  Systems  Inc . 27 

Citrix  Systems  Inc . 41 

Cognos  Inc . 15 

Computer  Associates  Inti.  Inc.  .  5 
CXO  Media  Inc.  ...  17,  33,  92,  95 


Dell  Inc . 48 

EMC2  . 16a 

Enterasys  Networks  . 42 

Fujitsu  Computer  Systems 
Corp . 35 

Hewlett-Packard  Co . C2 

IBM  Corp . 20,  85 

Microsoft  Corp . 2,1 .  36,  39 

Nokia  . 31 

Oracle  Corp . 11 

Polycom  Inc . 19 

Quova  Inc . 57 

Raritan  Computer  Inc . 83 

SAP  . 61 

SAS  . 23 

Sharp  Electronics  Corp . 25 

Sun  Microsystems  Inc . C3 

Sybase  .  66 

Technology  Evaluation  Centers 
Inc . 86 

Veritas . C4 

Xerox  Corp . 28 


Norway,  CIO  Business  Standard 
www.business-standard.no 
Poland,  CXO  Poland  www.cxo.pl 
Singapore,  CIO  ACEN/Hong-Kong 
www.idg.com.sg 

South  Korea,  CIO  Korea  www.cio.seoul.kr 
Sweden,  CIO  Sweden  www.cio.idg.se 

For  further  sales  information,  visit 
www.cio.com/marketing/salesoffices.html. 


CIO  Contact 
Information 

Editorial,  Advertising  and  Business 
Offices:  492  Old  Connecticut  Path, 
P.O.  Box  9208,  Framingham,  MA 
01701-9208,  508  872-0080. 

CIO  (ISSN  0894-9301)  is  published 
semimonthly  and  as  a  combined  issue 
December  15/January  1  by  CXO  Media 
Inc.,  492  Old  Connecticut  Path,  P.O. 
Box  9208,  Framingham,  MA  01701- 
9208.  Periodicals  postage  paid  at 
Framingham,  MA,  and  at  additional 
mailing  offices.  Canada  Publications 
Mail  Agreement  Number  1902075. 
CANADIAN  POSTMASTER:  Please 
return  undeliverable  copy  to  P.O.  Box 
1632,  Windsor,  ON  N9A7C9. 

Permissions:  Copyright  2004  by 
CXO  Media  Inc.  All  rights  reserved. 
Reproduction  of  material  appearing 
in  CIO  is  forbidden  without  written 
permission.  Send  all  requests  to 
Permissions  Department,  CIO,  492 
Old  Connecticut  Path,  P.O.  Box  9208, 
Framingham,  MA  01701-9208. 

Photocopy  Rights:  Permission  to 
photocopy  for  internal  or  personal 
use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CIO  for 
users  through  the  Copyright  Clear¬ 
ance  Center,  provided  that  the  base 
fee  of  $3  per  copy  of  the  article,  plus 
$.50  per  page  is  paid  directly  to 
Copyright  Clearance  Center,  27 
Congress  Street,  Salem,  MA  01970. 
Please  specify:  ISSN  0894-9301. 
Permission  to  photocopy  does  not 
extend  to  contributed  articles 
followed  by  this  symbol:  $. 

Subscriptions:  CIO  is  free  to  qualified 
information  executives.  To  apply,  use 
our  online  subscription  form  at 
www.subscribe.cio.com.  Subscrip¬ 
tions  are  also  available  on  a  paid 
basis  at  a  rate  of  $95  for  the  United 
States  and  Canada,  $195  for  interna¬ 
tional  (payable  in  U.S.  funds  only) 
and  may  be  ordered  online  at 
www.subscribe.cio.com/services.html 
or  by  sending  an  inquiry  to  C/O,  P.O. 
Box  489,  Northbrook,  IL  60065- 
0489.  Please  allow  four  to  six  weeks 
for  a  new  subscription  to  begin.  The 
single  copy  price  is  $9  for  the  United 
States  and  Canada,  and  $15  interna¬ 
tional.  Prepayment  is  required, 
payable  in  U.S.  funds. 

Change  of  Address:  Please  go  to 
www.omeda.com/custsrv/cio  and 
follow  the  online  instructions. 

Postmaster:  Send  change  of  address 
to  CIO,  P.O.  Box  489,  Northbrook,  IL 
60065-9816.  Printed  in  the  U.S.A. 


94  CIO  APRIL  1,  2004 


www.cio.com 


YOU  NEED  TO  GET  SMART  FAST. 


How  do  you  make  short-term  cuts  without  losing  the  long¬ 
term  view?  What  are  the  rules  of  smart  IT  spending?  How 
do  you  fund  innovations  during  hard  times?  Turn  to  the  CIO 
FOCUS™  on  I.T.  COST  CONTROL:  SMARTER  SPENDING 
STRATEGIES  FOR  TIGHT  TIMES— actionable  information  cre¬ 
ated,  filtered  and  packaged  by  the  award-winning  editors  of 
CIO  magazine. 

CIO  FOCUS™  is  delivered  right  to  your  desktop,  giving  you 
immediate  access  to  the  information  you  need.  And  for  your 
future  reference  needs,  the  electronic  file  is  followed  by  a 
packaged  version,  shipped  within  72  hours. 


CIO  FOCUS™ 

IT  Value:  Measurement  Tools 
and  Techniques  That  Work 

Software  Vendor  Relationships: 
Selecting,  Vetting  and 
Managing  Partners 

Fundamentals  of  the  CIO  Role 

Applied  Wireless:  Making 
Wireless  Work  in  Business 


CIO  FOCUS™ 


STRATEGIC  GUIDES  FOR  EXECUTIVE  DECISION  MAKING 


The  Resource 
for  Information 
Executives 


.jpPf 

FOR  EXECUTIVE  DECISION-SUPPORT  TOOLS,  VISIT  THE  CIO  STORE-THE  CIO’S  KNOWLEDGE  MARKETPLACE. 

www.TheCIOStore.com 


EXECUTIVE 


April  1,  2004 


COVER  STORY  I  No  EZ  Fix 

By  Elana  Varon  I  50 

The  IRS’s  $8  billion  modernization  pro¬ 
gram,  launched  in  1999  to  upgrade 
the  agency’s  IT  infrastructure  and 
more  than  100  business  applications,  has 
stumbled  badly.  The  first  of  multiple  software 
releases  planned  for  a  new  taxpayer  database 
is  nearly  three  years  late  and  $36.8  million 
over  budget.  Eight  other  major  projects  have 
missed  deployment  deadlines,  and  costs  have 
ballooned  by  $200  million.  This  case  study 
illustrates  what  can  go  wrong  when  a  com¬ 
plex  project  overwhelms  management  capa¬ 
bilities  of  both  vendor  and  client.  The  IRS 
did  not  follow  its  own  procedures  for  devel¬ 
oping  the  new  systems  and  failed  to  give 
consistent  direction  and  oversight  to  prime 
contractor  CSC.  Longtime  managers  resistant 
to  change  undercut  the  vendor  as  well  as  the 
private-sector  IT  executives  hired  to  oversee 
the  program.  IRS  execs  and  its  oversight 
board  say  CSC  failed  to  grasp  the  complexity 
of  the  assignment.  To  turn  things  around,  the 
IRS  has  barred  CSC  from  starting  new  proj¬ 
ects  and  changed  the  terms  of  its  agreement 
with  CSC  so  that  most  of  the  work  on  mod¬ 
ernization  will  be  done  at  a  fixed  price.  The 
agency  has  scaled  back  its  project  portfolio, 
and  CSC  has  brought  in  more  people  at  both 
management  and  staff  levels  who  understand 
the  tax  business. 


The  CIO  Web  Transaction  Diet  By  Christopher  Lindquist  I  58 

WHILE  YOUR  E-COMMERCE  OPERATION  may  not  generate  the  traffic  of  an  Amazon,  that 
doesn’t  mean  you  shouldn’t  be  concerned  about  how  much  every  website  visitor  costs  you.  Because 
those  costs  may  be  bleeding  you.  Many  companies  are  making  changes  designed  to  decrease  the 
costs  they  incur  per  visitor  (transaction  costs)  or  drive  up  the  average  revenue  for  each  visitor.  $mart 
e-commerce  execs  at  Amazon,  H&R  Block,  $ahre  Holdings  and  Wells  Fargo  are  tweaking  user  inter¬ 
faces  in  an  effort  to  sell  more  goods  and  services  faster.  They’ve  filtered  out  the  window-shoppers  and 
they’ve  fully  reconstructed  back-end  infrastructures  and  migrated  to  cheaper  Linux  platforms.  What 
tactics  you  choose  will  depend  on  the  type  of  transactions  and  your  company’s  business  model,  but 
the  key  is  to  take  action,  as  Web  usage  will  only  increase  in  the  coming  years. 


Banks  Fight  Customer  Flight  By  Alice  Dragoon  I  68 

IN  THE  MERGER-MAD  ’90s,  banks  expected  to  lose  10  percent  to  15  percent  of  their  cus¬ 
tomers  after  a  merger.  As  long  as  they  succeeded  at  quickly  slashing  costs  and  making  the  deal  pay 
off  for  shareholders,  banks  just  didn’t  worry  about  the  losses.  As  a  new  round  of  megamergers  gets 
under  way,  banks  are  rethinking  this  position.  It  costs  five  times  as  much  to  acquire  a  new  customer 
as  it  does  to  maintain  a  good  relationship  with  an  existing  one,  so  it  pays  to  hang  on  to  customers 
during  a  merger  rather  than  meet  an  aggressive  deadline  for  squeezing  out  excess  costs.  Banks  such 
as  Wachovia  keep  customers  happy  by  adopting  a  phased  integration  over  three  to  four  years  versus 
the  less-than-a-year  approach  that  has  been  the  norm  in  stitching  big  banks  together.  Training  of 
customer-facing  staff  is  getting  new  emphasis,  and  the  integration  process  is  now  centrally  managed. 


Q&A  with  Howard  Gardner  By  Edward  Prewitt  I  74 

HARVARD  PSYCHOLOGIST  HOWARD  GARDNER,  noted  for  his  theory  of  multiple  intelli¬ 
gences,  recently  published  Changing  Minds:  The  Art  and  Science  of  Changing  Our  Own  and  Other 
People’s  Minds.  Gardner’s  research  reveals  the  best  ways  to  convince  others  (or  yourself)  to  adopt  a 
different  viewpoint  in  various  settings,  including  business.  Among  Gardner’s  seven  levers  for  change 
is  “representational  redescriptions,”  that  is,  getting  your  message  out  in  lots  of  different  ways.  People 
also  respond  well  to  stories,  Gardner  says,  but  there  has  to  be  a  protagonist,  goals,  obstacles  people 
can  identify  with  and  an  ultimate  resolution.  To  change  a  person’s  mind  in  one-on-one  encounters, 
execs  need  to  do  their  homework.  “You  need  to  know  if  this  person  is  a  story  person,  a  theory  per¬ 
son,  an  emotion  person  or  a  paranoid  person,”  Gardner  says.  “You  need  to  know  what  are  the  sets 
of  levers  that  work  with  him.” 


“I’ve  spent  43  years  of 
my  life  running  projects, 
and  I’m  very  good  at  it. 

It’s  almost  mind-boggling 
how  difficult  this  was 
to  do.” 

-JOHN  REECE,  FORMER  CIO,  IRS 


How  to  Become  a  Fixture  as  a  CIO  By  Ben  Worthen  I  78 

IT’S  NOT  ALL  THAT  UNCOMMON—lots  of  companies  have  experienced  CIO  churn  to  a 
degree,  and  some  are  veritable  revolving  doors.  Turnovers  can  happen  for  many  different  reasons: 
inadequate  hires,  dysfunctional  cultures,  mergers  and  acquisitions.  There  may  be  good  reasons,  but 
it’s  not  good  for  the  organization,  and  it’s  a  challenge  for  any  IT  leader  brave  (or  foolhardy)  enough 
to  boldly  go  where  many  have  gone  before.  CIOs  in  companies  with  historically  high  churn  say  the 
solution  to  breaking  the  cycle  falls  into  two  categories.  The  first  is  marketing  and  communications: 
The  CIO  has  to  change  the  way  other  executives  talk  about  IT — from  a  cost  discussion  to  a  business 
benefit  discussion.  Second,  the  CIO  must  make  repairs  in  the  damaged,  demoralized  IT  department 
just  inherited.  IT  execs  from  Ecolab  (13  CIOs  in  26  years),  the  United  States  Tennis  Association  (four 
CIOs  in  10  years)  and  others  tell  how  they’ve  battled  churn. 


96  CIO  APRIL  1,  2004  •  www.cio.com 


microsystems 

The  Network  is  the  Computer 


MAKE  SOLARIS 


MAKE  YOUR  BUSINESS 


Introducing  AMD  Opteron  Servers^yyjg 

Sun  Fire  '  V20z  servers  feature  screaming  AMD  Opteron  proces^il^^fttyff^iffift^ 
Solaris  Operating  System  up  to  45%  faster  than  comparable  32|B bj f f Iff; 

Add  the  Sun  Java"  Enterprise  System  -  Sun’s  entire  infrastructmHVHHH^H 
Sun  Storage  and  Services  to  experience  the  full  Sun  systems  advantage 
extreme  performance  at  compelling  prices. 


2  V20z 
STARTING 
|  LIST  PRICE 

(USD) 


AMD3 


Opteron 


FOR  SUN  AND  AMD  OPTERON  AT 
SUN.COM/V20Z 

OR  CALL  800.SUN.0404* 


1.  BASED  ON  TESTS  WITH  AMD  OPTERON  VS.  3.2  GHZ  XEON  RUNNING  LINUX,  AMD  OPTERON  RAN  45%  FASTER  ON  SPECWEB  99SSL  —  BASED  ON  PUBLISHED  DATA  FROM  WWW.SPEC.ORG  1/22/04.  FOR  SOLARIS,  OS 
MICROBENCHMARKS  PERFORMED  AN  AVERAGE  42%  FASTER  ON  AN  AMD  OPTERON  PROCESSOR  MODEL  246  (2.0  GHZ)  BASED  SYSTEM  COMPARED  TO  A  3.2  GHZ  XEON  SYSTEM.  2.  PRICING  IS  U  S.  LIST  PRICE.  ALL  PRICES 
QUOTED  ARE  IN  U  S.  DOLLARS.  *  TOLL-FREE  NUMBER  AVAILABLE  IN  THE  UNITED  STATES,  CANADA  AND  INTERNATIONAL  AMERICAS  ONLY.  2004  SUN  MICROSYSTEMS,  INC.  ALL  RIGHTS  RESERVED.  SUN,  SUN 
MICROSYSTEMS,  THE  SUN  LOGO,  SOLARIS,  THE  SOLARIS  LOGO,  JAVA,  THE  JAVA  LOGO,  AND  “THE  NETWORK  IS  THE  COMPUTER”  TAGUNE  ARE  TRADEMARKS  OR  REGISTERED  TRADEMARKS  FOR  SUN  MICROSYSTEMS, 
INC.  IN  THE  UNITED  STATES  AND  OTHER  COUNTRIES.  AMD,  THE  AMD  ARROW  LOGO,  AMD  OPTERON  AND  COMBINATIONS  THEREOF,  ARE  TRADEMARKS  FOR  ADVANCED  MICRO  DEVICES,  INC. 


H  S 


VERITAS" 


VISION 


MAY  3  -  7,  2004 

VENETIAN  HOTEL  I  LAS  VEGAS,  NV 
www.veritas.com/vision/register.html 


UTILITY.  NOW. 


i 


RETRIEVE  EMAILS  FASTER 

Regulatory  compliance  have  you  chasing  your  tail?  VERITAS  can  help  with  integrated  archiving 
and  automated  retrieval  of  all  your  critical  data.  Software  for  Utility  Computing.  At  veritas.com 


VERiTAS" 


©  2004  \  LKITAS  Software  Corporation.  All  rights  reserved.  VERITAS  and  the  V  ERITAS  Logo  are  trademarks  or  registered  trademarks  of 

VERITAS  Software  Corporation  or  its  affiliates  in  the  l  .S.  and  other  eonntries. 


